|
|
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed Resume Viewer.exe running along with its children.
[1]
[2]
|
|
General Behavior |
|
| A General Behavior alert was generated indicating that the user Debbie executed Resume Viewer.exe. This alert had a severity score of 51/100 and was based upon "Newly Executed Applications".
[1]
[2]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry within the alert showed that Resume Viewer.exe executed, and would also be available in a separate view.
[1]
|
|
General Behavior |
|
| A General Behavior alert for Machine Learning showed that Resume Viewer.exe was executed and that it was detected as malicious.
[1]
| |
| Cybereason |
|
General Behavior |
|
| A General Behavior alert was generated based on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious.
[1]
[2]
[3]
|
|
Telemetry (Tainted) |

|
| Telemetry showed that Resume Viewer.exe was executed and running as a process. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious.
[1]
[2]
[3]
|
|
General Behavior |
|
| A General Behavior alert was generated based on the identification of Resume Viewer.exe as unknown malware by the Anti-Malware engine.
[1]
[2]
[3]
| |
| Endgame |
|
General Behavior |
|
| A General Behavior alert was generated for Malicious File Detection on the execution of Resume Viewer.exe.
[1]
[2]
|
|
Telemetry (Tainted) |

|
| Telemetry showed events surrounding the Resume Viewer.exe event to indicate execution (tainted by a parent Malicious File Detection).
[1]
[2]
| |
| FireEye |
|
Telemetry |
|
| Telemetry showed Resume Viewer.exe executing with a parent process of explorer.exe.
[1]
[2]
|
|
General Behavior (Configuration Change) |

|
| A General Behavior alert was generated for the Resume Viewer.exe file due to it being labeled as malicious by a machine learning engine. The alert was generated after a configuration change of the file size limit for the machine learning engine.
[1]
[2]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated for the execution of a rare file (Resume Viewer.exe).
[1]
|
|
Telemetry |
|
| Telemetry showed the execution of Resume Viewer.exe as a process.
[1]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed that Resume Viewer.exe was executed. The telemetry was tainted by the parent Script File Created alert.
[1]
| |
| McAfee |
|
Telemetry |
|
| Telemetry showed that Resume Viewer.exe was executed by Explorer.exe by user Debbie.
[1]
| |
| Microsoft |
|
Telemetry |
|
| Telemetry showed the user execution sequence of Resume Viewer.exe with multiple files written and subsequently executed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed that Resume Viewer.exe was executed and running as a process owned by user Debbie.
[1]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed execution of Resume Viewer.exe.
[1]
| |
| SentinelOne |
|
General Behavior |
|
| A General Behavior alert was generated due to static analysis of the file through the DFI resulting in it being marked as suspicious, which generated a story (group ID) that subsequent linked events are tainted by.
[1]
[2]
|
|
Telemetry |
|
| Telemetry showed Resume Viewer.exe execution with subsequent file writes and execution.
[1]
[2]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched the rundll32.exe execution with the correct ATT&CK Technique (T1085, which corresponds to the Rundll32 Technique).
[1]
[2]
|
|
Telemetry |
|
| Telemetry within the process tree showed the Resume Viewer.exe execution sequence and rundll32.exe executing.
[1]
[2]
| |
| CrowdStrike |
|
Specific Behavior |
|
| A Specific Behavior alert was generated due to rundll32 launching a suspended process. The alert was mapped to the correct ATT&CK Technique (Rundll32) and Tactic (Defense Evasion).
[1]
[2]
|
|
General Behavior (Delayed) |

|
| OverWatch generated a General Behavior alert indicating rundll32 executing update.dat was suspicious.
[1]
[2]
|
|
Telemetry |
|
| Telemetry within the OverWatch alert showed rundll32.exe executing, and would also be available in a separate view.
[1]
[2]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry within the rundll32.exe injection alert also showed full command-line arguments of rundll32.exe executing update.dat. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious.
[1]
[2]
[3]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for injected shellcode by a compromised legitimate process (rundll32.exe). The alert was tagged with the correct ATT&CK Tactic (Defense Evasion) and a related Technique (Process Injection) and was tainted by parent alert on rundll32.exe injection.
[1]
[2]
[3]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for rundll32.exe launching a module in a temporary folder and injecting shell code into a victim process. The alert was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious.
[1]
[2]
[3]
| |
| Endgame |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert called RunDLL32 with Suspicious DLL Location was generated due to rundll32.exe running update.dat. The alert was also tagged with the correct ATT&CK Technique (T1085 - Rundll32) and Tactics (Defense Evasion, Execution) and was tainted by a parent Malicious File Detection alert.
[1]
[2]
[3]
|
|
Telemetry (Tainted) |

|
| Telemetry showed rundll32.exe running update.dat. The telemetry was tainted by a parent Malicious File Detection alert.
[1]
[2]
[3]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched rundll32.exe with an alert for Rundll32 Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1085 - Rundll32) and Tactics (Defense Evasion, Execution).
[1]
[2]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified use of rundll32.exe to execute update.dat with command-line arguments.
[1]
[2]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed rundll32.exe executing update.dat.
[1]
|
|
General Behavior |
|
| A General Behavior alert was generated for an unusual call to rundll32.exe.
[1]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for rundll32.exe executing in a way typical for rundll32 injections.
[1]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed that cmd.exe created the rundll32.exe process that started update.dat. The telemetry was tainted by the parent Script File Created alert.
[1]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing update.dat via rundll32.exe. The telemetry was tainted by a trace detection on Resume Viewer.exe.
[1]
[2]
[3]
|
|
Specific Behavior |
|
| Specific Behavior alerts were generated based on suspicious indicators that a "Loaded non-DLL and non-CPL file with specified parameters via rundll32." The alerts were tagged with the correct ATT&CK Tactic (Defense Evasion, Execution) and Technique (Rundll32).
[1]
[2]
[3]
| |
| Microsoft |
|
Telemetry |
|
| Telemetry showed the execution sequence for rundll32.exe running update.dat.
[1]
[2]
|
|
General Behavior (Delayed) |

|
| A delayed General Behavior alert was generated for a low-reputation DLL loaded by a signed executable due to rundll32.exe execution of update.dat.
[1]
[2]
| |
| Palo Alto Networks |
|
Specific Behavior (Tainted) |

|
| Specific Behavior alerts were generated for rundll32. The alerts were tagged with the correct ATT&CK Technique (Rundll32) and were tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
|
|
Telemetry (Tainted) |

|
| Telemetry showed rundll32.exe executing update.dat with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
|
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated based on rundll32.exe executing update.dat, identified as a suspicious DLL and malware. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe launching rundll32.exe.
[1]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed rundll32.exe executing as a result of Resume Viewer.exe running. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID).
[1]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched the cmd.exe execution with the correct ATT&CK Technique (T1064 - Scripting).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Telemetry |
|
| Telemetry within the process tree showed cmd.exe executing the pdfhelper.cmd script.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed pdfhelper.cmd being executed by cmd.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
General Behavior (Delayed) |

|
| OverWatch generated a General Behavior alert indicating the execution of pdfhelper.cmd was suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe launching pdfhelper.cmd. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing pdfhelper.cmd as well as pdfhelper.cmd spawning as a child process of Resume Viewer.exe. The telemetry was tainted by a parent Malicious File Detection alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| FireEye |
|
Telemetry |
|
| Telemetry showed Resume Viewer.exe spawning the child process cmd.exe to launch pdfhelper.cmd.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (cmd.exe running pdfhelper.cmd) has been tagged for monitoring because its parent process has a detection (Resume Viewer.exe).
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry |
|
| Telemetry showed pdfhelper.cmd was executed by cmd.exe.
[1]
[2]
[3]
[4]
[5]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed that Resume Viewer.exe created cmd.exe, which ran the script pdfhelper.cmd. The telemetry was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed pdfhelper.cmd being executed by cmd.exe. The telemetry was tainted by a trace detection on Resume Viewer.exe.
[1]
[2]
[3]
[4]
[5]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed the execution sequence of Resume Viewer.exe executing cmd.exe, which executed rundll32.exe (the pdfhelper.cmd script was not shown).
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing the pdfhelper.cmd script. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed filemods indicating the creation and file write of autoupdate.bat to the Startup folder.
[1]
[2]
[3]
|
|
Enrichment |
|
| The capability enriched cmd.exe with the correct ATT&CK Technique (T1060 - Registry Run Keys/Start Folder).
[1]
[2]
[3]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed Registry activity related to the Startup folder. Though no screenshot of the file write is available, this data maybe indicative of modifications to the folder.
[1]
[2]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe rewriting autoupdate.bat to the user Debbie's Startup folder. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert called "Detected Persistence - Start Folder Persistence" was generated due to cmd.exe writing autoupdate.bat to the Startup folder. The alert was also tagged with the correct ATT&CK Technique (T1060 - Registry Run Keys / Start Folder) and Tactic (Persistence). The Specific Behavior alert was tainted by a parent Malicious File Detection alert.
[1]
[2]
[3]
|
|
Telemetry (Tainted) |

|
| Telemetry showed autoupdate.bat written to the Start Menu. The telemetry was tainted by a parent Malicious File Detection alert.
[1]
[2]
[3]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified the backdoor persisted by executing autoupdate.bat at system start due to its presence in the Startup directory.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry |
|
| Telemetry showed autoupdate.bat being written to the Startup folder.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment |
|
| The capability enriched the file write of autoupdate.bat to the Startup folder by categorizing it as Persistence.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed cmd.exe executing autoupdate.bat from within the Startup folder.
[1]
[2]
[3]
| |
| GoSecure |
|
Telemetry |
|
| Telemetry showed that autoupdate.bat was created in the Startup folder.
[1]
[2]
[3]
| |
| McAfee |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for "An exe/bat/lnk/dll file has been copied or renamed in the Windows Startup Folder" for persistence based on pdfhelper.cmd. The alert was tagged with the correct ATT&CK Tactic (Persistence) and Technique (Registry Run Keys / Start Folder).
[1]
[2]
| |
| Microsoft |
|
Telemetry |
|
| Telemetry showed the execution sequence for Resume Viewer.exe writing autoupdate.bat to Debbie's Startup folder to establish persistence.
[1]
[2]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed autoupdate.bat being moved to the user Debbie's Startup folder. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
|
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability enriched a file being created in the Startup folder with the correct ATT&CK Technique (Registry Run Keys / Start Folder). The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed a cmd.exe "rename to executable" event for autoupdate.bat in the Startup folder.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry on actions performed from Resume Viewer.exe showed autoupdate.bat being written to the Startup Folder. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID).
[1]
[2]
[3]
| |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure, though DNS requests for freegoogleadsenseinfo.com (C2 domain) were observed (no detection showed port 53 specifically).
[1]
[2]
[3]
[4]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though DNS requests were observed (no detection showed port 53 specifically).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| FireEye |
|
Telemetry |
|
| Telemetry showed port 53 command and control traffic.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it observed the use of UDP port 53 for DNS command and control traffic.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| F-Secure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure, though DNS requests were observed (no detection showed port 53 specifically).
[1]
[2]
[3]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for a scripting engine (rundll32.exe) making a network connection over DNS ports. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Telemetry (Tainted) |

|
| Telemetry showed port 53 command and control traffic. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| CrowdStrike |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for abnormally large DNS requests for freegoogleadsenseinfo.com (C2 domain) being sent. The alert was mapped to a related ATT&CK Technique (Exfiltration Over Alternative Protocol) and Tactic (Exfiltration).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a Specific Behavior occurred because they observed suspected command and control or data exfiltration via DNS.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
General Behavior (Delayed) |

|
| OverWatch also generated a General Behavior alert indicating the DNS traffic was suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry within the OverWatch alert showed the DNS requests, and would also be available in a separate view.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed rundll32.exe making DNS queries to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry in the event tree view showed DNS requests spawning from rundll32.exe to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Malicious File Detection alert.
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
Indicator of Compromise |
|
| An Indicator of Compromise alert was generated for the hardcoded DNS record name syntax in the DNS lookups for freegoogleadsenseinfo.com (C2 domain). The alert was also tagged with the correct ATT&CK Technique (T1071 - Standard Application Layer Protocol) and Tactic (Command and Control).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that command and control occurred via DNS.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed a trace of DNS queries being made by rundll32.exe to freegoogleadsenseinfo.com (C2 domain).
[1]
[2]
[3]
[4]
[5]
| |
| GoSecure |
|
Telemetry |
|
| Telemetry showed that DNS requests to freegoogleadsenseinfo.com (C2 domain) were being performed out of svchost.exe on Nimda.
[1]
[2]
[3]
[4]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| Microsoft |
|
Telemetry (Configuration Change) |

|
| Telemetry from showed DNS requests to freegoogleadsenseinfo.com (C2 domain).
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed DNS requests to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID).
[1]
[2]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed the base64-encoded DNS requests for freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the parent Exfiltration alert.
[1]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed base64-encoded DNS requests for freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Injected Shellcode alert.
[1]
[2]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| FireEye |
|
Telemetry (Tainted) |

|
| Telemetry showed base64-encoded DNS requests to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the parent Cobalt Strike DNS Beacon alert.
[1]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed a trace of encoded DNS queries being made by rundll32.exe to freegoogleadsenseinfo.com (C2 domain).
[1]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure, though the capability identified DNS queries (no detection showed data encoding specifically). | |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Palo Alto Networks |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed DNS requests with encoded content to freegoogleadsenseinfo.com (the C2 domain). The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID).
[1]
[2]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed cmd.exe executing ipconfig.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment |
|
| The capability enriched ipconfig.exe with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because ipconfig was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing ipconfig with command-line arguments. The process tree showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran ipconfig) were considered tainted and suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed cmd.exe executing ipconfig with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Enrichment (Tainted) |

|
| The capability enriched cmd.exe executing ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery). The data was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
General Behavior (Configuration Change, Delayed, Tainted) |
  
|
| A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
|
|
General Behavior (Tainted) |

|
| A General Behavior alert called Unusual Child Process of RunDLL32 was generated for cmd.exe executing ipconfig.exe with command-line arguments. The alert was tainted as part of the event tree under a parent Malicious File Detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
|
|
Telemetry (Tainted) |

|
| Telemetry within the event tree showed cmd.exe executing ipconfig.exe with command-line arguments (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that ipconfig.exe was one of the reconnaissance commands performed to enumerate the network configuration of Nimda.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
|
|
Enrichment |
|
| The capability enriched ipconfig.exe with an alert for Ipconfig Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed cmd.exe executing ipconfig.exe with command-line arguments and enriched the command with the condition Ipconfig All Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the ipconfig utility displayed configuration information.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing ipconfig with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
|
|
Enrichment (Tainted) |

|
| The capability enriched the execution of ipconfig.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
|
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for a commonly abused process (cmd.exe) spawning out of rundll32.exe. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
|
|
Enrichment |
|
| The capability enriched ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing ipconfig.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched arp.exe with a related ATT&CK Technique (T1018 - Remote System Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry |
|
| Telemetry within the process tree showed cmd.exe executing arp.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because arp was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing arp with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran arp) were considered tainted.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed arp.exe executing with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
General Behavior (Configuration Change, Delayed, Tainted) |
  
|
| A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
|
|
Telemetry (Tainted) |

|
| Telemetry within the event tree showed cmd.exe executing arp.exe with command-line arguments (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that arp.exe was one of the reconnaissance commands performed to enumerate the network configuration of Nimda.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
|
|
Enrichment |
|
| The capability enriched arp.exe with an alert for Arp Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing arp.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched the arp.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the contents of the local ARP cache table was viewed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing arp.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing arp with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
|
|
Enrichment (Tainted) |

|
| The capability enriched the execution of arp.exe as possible reconnaissance as well as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
|
|
Enrichment |
|
| The capability enriched arp.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing arp.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing arp.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed cmd.exe executing echo with command-line arguments.
[1]
[2]
[3]
[4]
[5]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing echo with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran echo) were considered tainted.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because echo was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry within the event tree showed cmd.exe executing echo with command-line arguments (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
General Behavior (Configuration Change, Delayed, Tainted) |
  
|
| A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that echo was one of the commands used to enumerate the current username.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Telemetry |
|
| Telemetry showed the use of echo with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed cmd.exe executing the echo command.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
General Behavior |
|
| A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the echo command) which was identified as extremely rare and suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (cmd.exe running echo) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
[2]
[3]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing the echo command. The telemetry was tainted by a trace detection on Resume Viewer.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Enrichment |
|
| The capability enriched the cmd.exe echo command with the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery) and a suspicious indicator that the command tried to identify the user on the system.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution sequence of cmd.exe executing echo with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched cmd.exe executing echo with the correct ATT&CK Technique (System Owner / User Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing echo with command-line arguments.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Enrichment (Tainted) |

|
| The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched tasklist.exe with the correct ATT&CK Technique (T1057 - Process Discovery).
[1]
[2]
[3]
[4]
|
|
Telemetry |
|
| Telemetry within the process tree showed cmd.exe executing tasklist.exe with command-line arguments.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing tasklist with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran tasklist) were considered tainted.
[1]
[2]
[3]
[4]
[5]
|
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because tasklist was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing tasklist with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry within the event tree showed cmd.exe executing tasklist.exe with command-line arguments (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
|
|
General Behavior (Configuration Change, Delayed, Tainted) |
  
|
| A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that tasklist was one of the commands used to enumerate current running processes.
[1]
[2]
[3]
[4]
[5]
|
|
Enrichment |
|
| The capability enriched tasklist.exe with an alert for Tasklist Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1057 - Process Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (cmd.exe running tasklist) has been tagged for monitoring because its parent process has a detection (cmd.exe).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
General Behavior |
|
| A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing tasklist) which was identified as extremely rare and suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed cmd.exe executing tasklist.exe along with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
[2]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
[1]
[2]
[3]
[4]
[5]
|
|
Enrichment |
|
| The capability enriched tasklist.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Service Discovery) and a suspicious indicator that the process discovered running Windows services and/or processes.
[1]
[2]
[3]
[4]
[5]
| |
| Microsoft |
|
General Behavior (Delayed) |

|
| A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed the execution sequence of cmd.exe executing tasklist.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Palo Alto Networks |
|
Enrichment (Tainted) |

|
| The capability enriched the execution of tasklist.exe as the enumeration of running processes via the command line. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing tasklist with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment |
|
| The capability enriched tasklist.exe executing with a related ATT&CK Technique (System Information Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing tasklist.exe with command-line arguments.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because sc query was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing sc with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran sc) were considered tainted.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| Cybereason |
|
Enrichment (Tainted) |

|
| The capability enriched cmd.exe executing sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery). The data was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry |
|
| Telemetry showed cmd.exe executing sc with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry within the event tree showed cmd.exe executing sc.exe with command-line arguments (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
General Behavior (Configuration Change, Delayed, Tainted) |
  
|
| A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that sc was one of the commands used to enumerate current running services.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
Enrichment |
|
| The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed cmd.exe executing sc.exe with command-line arguments and enriched the command with the condition SC Query Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing sc.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
Enrichment |
|
| The capability enriched sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that a Windows service was manipulated via sc.exe/net.exe tool.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing sc with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing sc.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing sc.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed cmd.exe executing net with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment (Tainted) |

|
| The capability enriched cmd.exe executing net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery). The data was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
General Behavior (Configuration Change, Delayed, Tainted) |
  
|
| A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net Start Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that net was one of the commands used to enumerate current running services.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
Telemetry |
|
| Telemetry showed cmd.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows service was manipulated via sc.exe/net.exe tool.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution sequence of cmd.exe executing net.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
| |
| Palo Alto Networks |
|
Enrichment (Tainted) |

|
| The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed cmd.exe executing systeminfo.exe.
[1]
[2]
[3]
[4]
|
|
Enrichment |
|
| The capability enriched systeminfo.exe with the correct ATT&CK Technique (System Information Discovery).
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing systeminfo. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran systeminfo) were considered tainted.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
General Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a General Behavior was observed because systeminfo was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
General Behavior (Delayed) |

|
| OverWatch also generated a General Behavior alert indicating systeminfo execution was suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Cybereason |
|
Enrichment (Tainted) |

|
| The capability enriched systeminfo.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery). The data was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
|
|
Telemetry |
|
| Telemetry showed cmd.exe executing systeminfo with command-line arguments.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
General Behavior (Configuration Change, Delayed, Tainted) |
  
|
| A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Telemetry (Tainted) |

|
| Telemetry within the event tree showed cmd.exe executing systeminfo.exe (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified systeminfo as a reconnaissance command used to obtain details from the system.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| The capability enriched systeminfo.exe with an alert for Systeminfo Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1082 - System Information Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (cmd.exe running systeminfo) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Enrichment |
|
| The capability enriched systeminfo.exe indicating it could be used for reconnaissance.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing systeminfo.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
[2]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched systeminfo.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) and a suspicious indicator that system configuration info was queried.
[1]
[2]
[3]
[4]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing systeminfo.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
Telemetry |
|
| Telemetry showed the execution sequence of cmd.exe running systeminfo.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
General Behavior (Delayed) |

|
| A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Palo Alto Networks |
|
Enrichment (Tainted) |

|
| The capability enriched the execution of systeminfo.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Enrichment |
|
| The capability enriched cmd.exe executing systeminfo with the correct ATT&CK Technique (System Information Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing systeminfo with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing systeminfo.exe.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Technique (System Information Discovery).
[1]
[2]
[3]
[4]
|
|
Telemetry |
|
| Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a General Behavior was observed because net config was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed cmd.exe executing net with command-line arguments.
[1]
[2]
[3]
[4]
|
|
Enrichment (Tainted) |

|
| The capability enriched net.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery). The data was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
General Behavior (Configuration Change, Delayed, Tainted) |
  
|
| A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net Config Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1082 - System Information Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified net config as a reconnaissance command performed.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| F-Secure |
|
Enrichment |
|
| The capability enriched net.exe indicating it is commonly used for reconnaissance.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
General Behavior |
|
| A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed cmd.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
[2]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
[1]
[2]
[3]
[4]
|
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) and a suspicious indicator that system configuration info was queried.
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Enrichment (Tainted) |

|
| The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Enrichment |
|
| The capability enriched cmd.exe executing net with the correct ATT&CK Technique (System Information Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing net.exe with command-line arguments.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Endgame |
|
General Behavior (Configuration Change, Delayed, Tainted) |
  
|
| A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
|
|
Telemetry (Tainted) |

|
| Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
|
|
Enrichment (Tainted) |

|
| The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated members of the local administrators group.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that information of users/groups was obtained.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because net localgroup was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
| |
| Endgame |
|
General Behavior (Configuration Change, Delayed, Tainted) |
  
|
| A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
|
|
Telemetry (Tainted) |

|
| Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
|
|
Enrichment (Tainted) |

|
| The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated members of the local administrators group.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery)
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that information of users/groups was obtained.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
|
|
Enrichment (Tainted) |

|
| The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The enrichment was tainted by a previous detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
|
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed cmd.exe executing net with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
|
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery). The alert was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
| |
| Endgame |
|
General Behavior (Configuration Change, Delayed, Tainted) |
  
|
| A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
|
|
Enrichment (Tainted) |

|
| The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
|
|
Telemetry (Tainted) |

|
| Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated the Shockwave domain's Domain Administrators group.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Techniques (Permission Groups Discovery) and a suspicious indicator that information of users/groups was obtained.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
Enrichment (Tainted) |

|
| The capability enriched the execution of net.exe as the execution of an enumeration command as well as the execution of net1.exe as the execution of an enumeration command using net or net1. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
Enrichment (Tainted) |

|
| The capability enriched the execution of net.exe and net1.exe as the possible enumeration of administrator groups. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| An "IIOC" module called "Enumerates domain administrators" was generated and provided enrichment.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Technique (Account Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net.exe) were considered tainted.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
General Behavior (Configuration Change, Delayed, Tainted) |
  
|
| A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| FireEye |
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified net user as a reconnaissance command performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment |
|
| The capability enriched net.exe with a tag identifying the command as enumeration.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| GoSecure |
|
Enrichment (Tainted) |

|
| The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that information of users/groups was obtained.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Palo Alto Networks |
|
Enrichment (Tainted) |

|
| The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Technique (Account Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry |
|
| Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because net user was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
General Behavior (Configuration Change, Delayed, Tainted) |
  
|
| A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| FireEye |
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified net user as a reconnaissance command performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (cmd.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment |
|
| The capability enriched net.exe with a tag identifying the command as enumeration.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Reconnaissance Tool and Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that information of users/groups was obtained.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Palo Alto Networks |
|
Enrichment (Tainted) |

|
| The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Enrichment |
|
| The capability enriched net1.exe executing with the correct ATT&CK Technique (Account Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry within the process tree showed cmd.exe executing reg.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing reg with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran reg) were considered tainted.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because reg query was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
[5]
| |
| Endgame |
|
General Behavior (Configuration Change, Delayed, Tainted) |
  
|
| A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry (Tainted) |

|
| Telemetry within the event tree showed cmd.exe executing reg.exe with command-line arguments (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because the attacker queried a registry key that contains system policy configurations.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| F-Secure |
|
Enrichment |
|
| The capability enriched reg.exe indicating that a sensitive registry key was accessed, possibly as part of reconnaissance.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
General Behavior |
|
| A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the reg) which was identified as extremely rare and suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
Telemetry |
|
| Telemetry showed cmd.exe executing reg with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (cmd.exe running reg) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the Registry was queried via execution of the reg.exe utility.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Enrichment |
|
| The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution sequence of cmd.exe running reg.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched reg.exe executing with the correct ATT&CK Technique (Query Registry).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing reg.exe with command-line arguments.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed an integrity level change for user Debbie from 8192 (0x2000/Medium) to 12288 (0x3000/High), which is indicative of bypassing UAC.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe running as medium integrity as user Debbie then another instance running later as high integrity as user Debbie. The telemetry is tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
| |
| Endgame |
|
Telemetry |
|
| Telemetry showed a mismatch between the logon id (authentication id) of parent and child processes indicating that a different token was used. Though no screenshot for this data is available, this information can be used to trace back to the logon event for that logon id to display the process integrity level indicative of the elevated token used for bypass UAC.
[1]
[2]
[3]
| |
| FireEye |
|
Telemetry (Configuration Change) |

|
| Telemetry showed execution of powershell.exe as a high integrity process as SYSTEM with a token login ID previously associated with user Debbie.
[1]
[2]
[3]
[4]
| |
| F-Secure |
|
Enrichment |
|
| The capability enriched an unelevated svchost.exe spawning an elevated powershell.exe process with a tag indicating a possible UAC Bypass.
[1]
[2]
[3]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure, though an alert was triggered due to svchost.exe creating the process powershell.exe.
[1]
[2]
[3]
| |
| McAfee |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for a possible UAC bypass. The alert was tagged with the correct ATT&CK Technique (Bypass User Account Control) and Tactics (Defense Evasion, Privilege Escalation).
[1]
[2]
[3]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed rundll32.exe as a medium integrity process as user Debbie and subsequent execution of powershell.exe as a high integrity process as SYSTEM as part of the UAC bypass (tainted by alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed a process integrity level change from parent rundll32.exe (medium / 8192) to child powershell.exe (high / 12288), both running as user Debbie.
[1]
[2]
[3]
[4]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure, though an alert was created for PowerShell with the -enc command-line argument.
[1]
| |
| SentinelOne |
|
Telemetry |
|
| Telemetry showed process integrity levels changing from medium to high.
[1]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed svchost.exe, with the seclogon command-line argument, performing activity related to token manipulation.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure, though an alert was generated for malicious code injection into PowerShell. Telemetry also showed that bypassuactoken.x64.dll was loaded.
[1]
[2]
[3]
| |
| Endgame |
|
Telemetry |
|
| Telemetry showed a svchost.exe seclogon event for a token logon id (authentication id) later used by a new powershell.exe process, highlighting token manipulation via a mismatch in ids between parent and child process tokens.
[1]
[2]
[3]
[4]
| |
| FireEye |
|
Telemetry (Configuration Change) |

|
| Telemetry showed a svchost.exe seclogon event for a token logon ID later used by a process whose group membership indicated high integrity.
[1]
[2]
[3]
[4]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed svchost.exe executed with the seclogon command-line argument and a subsequent logon event for user Debbie with an elevated token, indicating token manipulation.
[1]
[2]
[3]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure, though an alert was triggered due to svchost.exe creating the process powershell.exe.
[1]
[2]
| |
| McAfee |
|
Telemetry (Delayed) |

|
| Telemetry showed svchost.exe, with the seclogon command-line argument as well as a New Credentials logon event for user Debbie, indicating token manipulation.
[1]
[2]
[3]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed svchost.exe executed with the seclogon command-line argument and a subsequent elevated powershell.exe process, indicating token manipulation (tainted by parent alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script).
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed svchost.exe executed with the seclogon command-line argument and a subsequent logon event with an elevated token and new logon ID, indicating token manipulation.
[1]
[2]
[3]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Enrichment (Tainted) |

|
| The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| Carbon Black |
|
Specific Behavior |
|
| A Specific Behavior alert was generated that was mapped to correct ATT&CK Technique (Process Injection).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed "crossproc" events indicative of Process Injection into cmd.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| CrowdStrike |
|
General Behavior (Delayed, Tainted) |
 
|
| OverWatch also generated a General Behavior alert identifying the injection as suspicious. The process tree view showed the alert as tainted by previous svchost.exe and powershell.exe detections.
[1]
[2]
[3]
[4]
[5]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated showing that PowerShell created a thread into a remote process. The alert identified the correct ATT&CK Technique (Process Injection) and Tactic (Defense Evasion). The process tree view showed the alert as tainted by parent svchost.exe and powershell.exe detections.
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry |
|
| Telemetry associated with the alert would show thread creation in a separate view.
[1]
[2]
[3]
[4]
[5]
| |
| Cybereason |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for process injection from powershell.exe into cmd.exe (Anonymous RWX). The alert is tagged with the correct ATT&CK Tactic (Defense Evasion) and Technique (Process Injection). The alert is tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Endgame |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for process injection into cmd.exe.
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified a process injection from PowerShell.exe to cmd.exe.
[1]
[2]
| |
| F-Secure |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for PowerShell opening a handle to a system process with access rights typical for a known PowerShell injection pattern, identified as a sign of code injection.
[1]
[2]
| |
| GoSecure |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated based on DLL injection for powershell.exe injecting into cmd.exe. The detection was labeled with Process Hijacking and Privilege Escalation and tainted by the parent "Powershell process created" alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| McAfee |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for a process injection from PowerShell into cmd.exe based on both connecting to a named pipe. The alert was tagged with the correct ATT&CK Technique (Process Injection) and Tactics (Defense Evasion, Privilege Escalation).
[1]
[2]
[3]
| |
| Microsoft |
|
Specific Behavior (Delayed) |

|
| A Specific Behavior alert was generated for process injection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Enrichment (Tainted) |

|
| The capability enriched data showing powershell.exe injecting into cmd.exe (tainted by alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| Palo Alto Networks |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for PowerShell injecting shellcode. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed powershell.exe creating a remote thread into cmd.exe.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe allocating memory, writing to memory space, and invoking a thread into cmd.exe (tainted by association with parent alert for powershell.exe process executed by svchost.exe).
[1]
[2]
[3]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched net.exe with a related ATT&CK technique (Account Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Enrichment |
|
| The capability showed net.exe executing with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry |
|
| Telemetry within the enrichment showed net.exe executing with command-line arguments, and would be available in a separate view.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
General Behavior (Delayed) |

|
| OverWatch also generated a General Behavior alert identifying cmd.exe executing net as suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| Cybereason |
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for net.exe executing as part of a suspicious execution chain related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed cmd.exe executing net with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
Telemetry |
|
| Telemetry showed the process creation of net group with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment (Delayed) |

|
| The capability enriched the net command with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it indicated net group was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed cmd.exe executing net with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| The capability enriched net.exe indicating that it was run with commands commonly used for reconnaissance.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the condition Net Group Reconnaissance Command. The enrichment was tainted by the parent \"Powershell Execution Policy ByPass command ran\" alert.
[1]
[2]
[3]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched net.exe with the correct Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information about domain computers and controllers.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution sequence of cmd.exe executing net.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed cmd.exe executing net with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Enrichment |
|
| The capability enriched the execution of net.exe as the execution of an enumeration command.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Enrichment |
|
| The capability enriched the execution of net.exe as the execution of an enumeration command using net or net1.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Enrichment |
|
| The capability enriched cmd.exe executing net with a related ATT&CK Technique (System Network Connections Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe running net.exe with command-line arguments.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| The capability enriched net.exe with a related ATT&CK technique (Account Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry |
|
| Telemetry within the enrichment showed net.exe with command-line arguments, and would be available in a separate view.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Enrichment |
|
| The capability showed net.exe executing with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
General Behavior (Delayed) |

|
| The OverWatch team identified net group as suspicious with a General Behavior alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| Cybereason |
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for net.exe executing as part of a suspicious execution chain related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Remote System Discovery). The alert was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed cmd.exe executing net with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
Telemetry |
|
| Telemetry showed the process creation of net group with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment (Delayed) |

|
| The capability enriched the net command with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| FireEye |
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it indicated net group was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed cmd.exe executing net with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| The capability enriched net.exe indicating that it was run with commands commonly used for reconnaissance.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the condition Net Group Reconnaissance Command. The enrichment was tainted by the parent "Powershell Execution Policy ByPass command ran" alert.
[1]
[2]
[3]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched net.exe with the correct Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information about domain computers and controllers.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution sequence of cmd.exe executing net.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed cmd.exe executing net with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Enrichment |
|
| The capability enriched the execution of net.exe as the execution of an enumeration command using net or net1.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe running net.exe with command-line arguments.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched netsh.exe with a related ATT&CK technique (T1063 - Security Software Discovery) and a tag for Potential Windows Firewall Rule Recon.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry |
|
| Telemetry within the process tree showed cmd.exe executing netsh.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a General Behavior was observed because netsh was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
Telemetry |
|
| Telemetry within the OverWatch alert showed netsh executing with command-line arguments, and would be available in a separate view.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
General Behavior (Delayed) |

|
| OverWatch generated a General Behavior alert indicating the execution of netsh by cmd.exe was suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed cmd.exe executing net with command-line arguments. command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Enrichment (Tainted) |

|
| The capability enriched netsh.exe executing with the correct ATT&CK Tactic (Discovery) and a related Technique (Security Software Discovery). The data was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that netsh was a reconnaissance command used to obtain network configuration and the configuration profile of the Windows Firewall.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
|
|
Enrichment |
|
| The capability enriched netsh.exe with an alert for Netsh Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1063 - Security Software Discovery) and the correct Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing netsh.exe with command-line arguments. The telemetry was tainted by the parent "Powershell Execution Policy ByPass command ran" alert.
[1]
[2]
[3]
[4]
[5]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched netsh.exe with the correct Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the netsh utility manipulated firewall rules.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing netsh.exe with command-line arguments. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution sequence of cmd.exe executing netsh.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe running netsh.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing netsh.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched netstat.exe with the correct ATT&CK technique (System Network Connections Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Telemetry |
|
| Telemetry within the process tree showed cmd.exe executing netstat.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a General Behavior was observed because netstat was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Telemetry |
|
| Telemetry within the OverWatch alert showed cmd.exe executing netstat with command-line arguments, and would be available in a separate view.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
General Behavior (Delayed) |

|
| OverWatch generated a General Behavior alert indicating cmd.exe executing netstat with command-line arguments was suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed cmd.exe executing netstat with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment (Tainted) |

|
| The capability enriched netstat.exe executing as Reconnaissance and mapped to the correct ATT&CK Technique (System Network Connections Discovery). The data was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Endgame |
|
Telemetry |
|
| Telemetry showed the process creation of netstat with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment (Delayed) |

|
| The capability enriched the netstat command with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that netstat was a reconnaissance command used to enumerate active and listening network ports.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment |
|
| The capability enriched netstat.exe with an alert for Netstat Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| F-Secure |
|
Enrichment |
|
| The capability enriched netstat.exe with a tag identifying the command as enumeration.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing netstat.exe with command-line arguments. The telemetry was tainted by the parent "Powershell Execution Policy ByPass command ran" alert.
[1]
[2]
[3]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing netstat.exe with command-line arguments. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| The capability enriched netstat.exe with the correct Tactic (Discovery) and Technique (System Network Connections Discovery) and a suspicious indicator that network statistics and TCP/IP connections were gathered.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution sequence of cmd.exe executing netstat.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed cmd.exe executing netsh with command-line arguments.
[1]
[2]
[3]
[4]
[5]
|
|
Enrichment |
|
| The capability enriched netstat.exe executing with the correct ATT&CK Technique (System Network Connections Discovery).
[1]
[2]
[3]
[4]
[5]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe running netstat.exe with command-line arguments.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing netstat.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Specific Behavior |
|
| A Specific Behavior alert was generated showing the correct ATT&CK Technique (Credential Dumping).
[1]
[2]
[3]
|
|
Telemetry |
|
| Telemetry showed an open handle to a thread into lsass.exe, which is indicative of process injection for credential dumping.
[1]
[2]
[3]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showing the lsass handle open and DLL loading would be available in a separate view.
[1]
[2]
[3]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for Credential Dumping, which indicated "a DLL was detected as being reflectively loaded in the callstack." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection.
[1]
[2]
[3]
|
|
General Behavior (Delayed, Tainted) |
 
|
| A General Behavior alert was generated by the OverWatch team indicating the Credential Dumping activity was suspicious. The process tree view showed the alert as tainted by a parent detection.
[1]
[2]
[3]
| |
| Cybereason |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for svchost.exe loading Mimikatz and accessing lsass (an audited system resource). The alert was also tagged with the correct ATT&CK Tactic (Credential Access) and related Technique (Process Injection).
[1]
[2]
[3]
[4]
| |
| Endgame |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for the correct ATT&CK Technique (Credential Dumping).
[1]
[2]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| F-Secure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure, though a DDNA Scan alerted for svchost.exe and displayed details related to Project Injection.
[1]
[2]
[3]
[4]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Microsoft |
|
Enrichment (Tainted) |

|
| The capability enriched data showing a svchost.exe process opening lsass.exe with a description that it was accessing credentials (tainted by parent process injection event that occurred from svchost.exe). Exploit Guard audited the process open and credential extraction event.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior (Delayed) |

|
| A Specific Behavior alert was generated on credential memory access.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Palo Alto Networks |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for a suspicious handle being opened to lsass.exe to dump passwords. The alert was tagged with the correct ATT&CK Technique (Credential Dumping).
[1]
[2]
[3]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed an open handle to a thread into lsass.exe, which is indicative of process injection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| CrowdStrike |
|
Enrichment |
|
| The capability enriched several event types with descriptions, including for a remote process opening a handle to lsass and a DLL being reflectively loaded (ReflectiveDllOpenLsass), as well as an lsass process accessed (ProcessHollowingDetected).
[1]
[2]
[3]
[4]
[5]
| |
| Cybereason |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for svchost.exe reflectively loading a malicious executable, identified as Mimikatz, then accessing lsass. The alert was also tagged with the correct ATT&CK Technique (Process Injection) and Tactics (Defense Evasion, Privilege Escalation). The powerkatz.dll was also seen loaded as a floating executable code.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Endgame |
|
Telemetry |
|
| Telemetry showed privileged accesses (PROCESS_VM_READ and PROCESS_QUERY_LIMITED_INFORMATION) into lsass.exe.
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| F-Secure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| GoSecure |
|
General Behavior |
|
| A General Behavior alert was generated when a DDNA Scan alerted for svchost.exe. DDNA scan results showed that svchost.exe "appeared to inject code into another process."
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| Microsoft |
|
Specific Behavior (Delayed) |

|
| A Specific Behavior alert was generated for process injection into lsass.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry (Tainted) |

|
| Telemetry showed svchost.exe accessing lsass.exe and dumping credentials (tainted by parent alert on sensitive credential memory read for the first credential dump). Exploit Guard audited process open and credential extraction event.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| Palo Alto Networks |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for a suspicious handle being opened to lsass.exe. The alert was tagged with a related ATT&CK Technique (Credential Dumping).
[1]
[2]
[3]
[4]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed an open handle to a thread into lsass.exe, which is indicative of process injection for credential dumping.
[1]
[2]
[3]
| |
| CrowdStrike |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for Credential Dumping, which indicated "a DLL was detected as being reflectively loaded in the callstack." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection.
[1]
[2]
[3]
|
|
Telemetry |
|
| Telemetry for the lsass remote thread and DLL loading would be available in a separate view.
[1]
[2]
[3]
|
|
General Behavior (Delayed, Tainted) |
 
|
| OverWatch also generated a General Behavior alert indicating the Credential Dumping activity was suspicious. The process tree view showed the alert as tainted by a previous detection.
[1]
[2]
[3]
|
|
Specific Behavior (Tainted) |

|
| A second Specific Behavior alert was generated for Credential Dumping, which indicated that "a remote thread in LSASS accessed credential registry keys." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection.
[1]
[2]
[3]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed svchost.exe injecting into lsass.exe. The telemetry was tainted by the parent “injected (svchost.exe > lsass.exe)” alert. The hashdumpx64.dll was also seen loaded as a floating executable code.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for the correct ATT&CK Technique (Credential Dumping).
[1]
[2]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| F-Secure |
|
Enrichment |
|
| The capability enriched svchost.exe injecting a thread into lsass.exe with a tag identifying credential dumping.
[1]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed a thread create within lsass.exe from svchost.exe, which could be indicative of credential dumping. The telemetry was tainted by the parent "Powershell process created" and "Policy Remote Process Compromise" alerts.
[1]
[2]
[3]
[4]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Microsoft |
|
Enrichment (Tainted) |

|
| The capability enriched data showing a svchost.exe process opening lsass.exe with a description that it was accessing credentials (tainted by parent process injection event that occurred from svchost.exe). Exploit Guard audited the process open and credential extraction event.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed a code injection into lsass.exe. The telemetry was tainted by a parent process injection alert on cmd.exe.
[1]
[2]
[3]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for svchost dumping credentials via the Registry. The alert was tagged with the correct ATT&CK Technique (Credential Dumping).
[1]
[2]
[3]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Carbon Black |
|
Specific Behavior |
|
| A Specific Behavior alert was generated showing the correct ATT&CK Technique (Credential Dumping).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed a new thread and open handle into lsass.exe, which is indicative of process injection for credential dumping.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| CrowdStrike |
|
Enrichment |
|
| The capability enriched several event types with descriptions, including for a remote process opening a handle to lsass and a DLL being reflectively loaded (ReflectiveDllOpenLsass), malicious process hollowing (ProcessHollowingDetected), and a remote process injecting code into lsass (LsassInjectedCode).
[1]
[2]
[3]
[4]
[5]
| |
| Cybereason |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for svchost.exe injection into lsass.exe. The alert was mapped with the correct ATT&CK Tactic (Defense Evasion, Privilege Escalation) and Technique (Process Injection). The hashdumpx64.dll was also seen loaded as a floating executable code.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Endgame |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for the correct ATT&CK Technique (Process Injection).
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry (Tainted) |

|
| Telemetry showed multiple privileged accesses (including PROCESS_CREATE_THREAD) into lsass, indicative of Process Injection (tainted by the Process Injection alert).
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| F-Secure |
|
Enrichment |
|
| The capability enriched svchost.exe injecting a thread into lsass.exe with a tag identifying thread injection.
[1]
[2]
| |
| GoSecure |
|
General Behavior |
|
| A General Behavior alert was generated when a DDNA Scan alerted for svchost.exe. The DDNA scan results showed that svchost.exe "appeared to inject code into another process."
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for process hijacking based on a thread create within lsass.exe from svchost.exe (tainted by the parent "Powershell process created" and "Policy Remote Process Compromise" alerts.)
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| Microsoft |
|
Specific Behavior (Delayed) |

|
| A Specific Behavior alert was generated for process injection into lsass.exe. The alert was rolled up under the prior lsass.exe process injection alert and the last activity seen field was updated.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry (Tainted) |

|
| Telemetry showed svchost.exe accessing lsass.exe and dumping credentials (tainted by parent alert on sensitive credential memory read for the first credential dump). Exploit Guard audited process open and credential extraction event.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed a code injection into lsass.exe. The telemetry was tainted by a parent process injection alert on cmd.exe.
[1]
[2]
[3]
[4]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe injecting into svchost.exe (not counted for detection) then invoking a remote thread into lsass.exe. Powershell.exe was listed as the source of the remote thread into lsass.exe instead of svchost.exe because the alert on powershell.exe came before other events and therefore had increased precedence. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed a change in user execution context from Debbie to George between parent and child processes, which is indicative of token manipulation.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed the compromised process (21898821890) running as Debbie, then children from this process spawning first as Debbie and later as George. This could indicate theft of George's token within the context of the process.
[1]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe associated with both users Debbie and George, indicating user context change via token manipulation. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious.
[1]
[2]
[3]
| |
| Endgame |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for Privilege Escalation based on rundll32.exe as Debbie, spawning the process cmd.exe as George, which indicated a possible stolen token. The alert was mapped to the correct ATT&CK Technique (T1134 - Access Token Manipulation) and Tactics (Privilege Escalation, Defense Evasion).
[1]
[2]
[3]
[4]
|
|
Telemetry (Tainted) |

|
| Telemetry showed the users change in the parent-child processes of rundll32.exe and cmd.exe (tainted by the Privilege Escalation alert).
[1]
[2]
[3]
[4]
| |
| FireEye |
|
Telemetry |
|
| Telemetry showed a process (net.exe) executed during Step 4 as user Debbie and a subsequent process (reg.exe) executed during Step 6 as user George, indicating a change in user context from a stolen token.
[1]
[2]
[3]
[4]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed a cmd.exe associated with user Debbie spawn a cmd.exe associated with user George, indicating user context change via token manipulation.
[1]
[2]
[3]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| McAfee |
|
Telemetry |
|
| Telemetry showed a change in user execution context from Debbie to George between processes, which is indicative of token manipulation.
[1]
[2]
[3]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed svchost.exe as a high integrity process from SYSTEM and subsequent cmd.exe process running as user George (tainted by the parent alert on suspicious process injection into lsass.exe). Svchost.exe was executed with seclogon command-line argument indicating token manipulation.
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed a cmd.exe associated with user Debbie spawn a cmd.exe associated with user George, indicating user context change via token manipulation. The telemetry was tainted by a parent process injection alert on cmd.exe.
[1]
[2]
[3]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Carbon Black |
|
Enrichment |
|
| The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed cmd.exe executing reg.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| CrowdStrike |
|
General Behavior (Delayed, Tainted) |
 
|
| OverWatch generated a General Behavior alert indicating the reg query command was suspicious. The alert was tainted by the parent cmd.exe process.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by the parent cmd.exe process.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed reg.exe executing with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
[5]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent Process Injection alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified reg.exe as a reconnaissance command to enumerate a Registry key on the host Conficker to determine the configuration of its Windows Terminal Server service.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Enrichment |
|
| The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery). An alert was also generated for a File Write To Named Pipe (Weak Signal) for reg.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing reg.exe with command-line arguments. Telemetry also showed that two PIPEs were created as a result of reg.exe execution. The telemetry was tainted by the parent "Powershell process created" alert.
[1]
[2]
[3]
[4]
[5]
| |
| McAfee |
|
General Behavior (Delayed) |

|
| A General Behavior alert was generated indicating that reg.exe command-line arguments contains signs of malicious usage such as encoded content or interacting with Registry keys.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Enrichment |
|
| The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the Registry was queried via execution of the reg.exe utility.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution sequence of reg.exe executing with command-line arguments. The telemetry was tainted by the relationship to prior rundll32.exe activity based on process injection alert context.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing reg.exe with command-line arguments.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched the network connections from rundll32.exe with the correct ATT&CK Technique (T1043 - Commonly Used Port).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed network connections over TCP port 80 to 192.168.0.4 (C2 server).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed a connection over TCP port 80 to 192.168.0.4 (C2 server).
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed rundll32.exe opening a connection over port 80. The telemetry was tainted by a parent Injected Shellcode alert listed as the owner process.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Enrichment (Tainted) |

|
| The capability enriched rundll32.exe opening a connection to the C2 server over a \"HTTP port\" with the correct ATT&CK Tactic (Command and Control) and the Technique (Commonly Used Port). The data was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed a TCP port 80 connection from rundll32.exe to 192.168.0.4 (C2 server). The telemetry was tainted by a parent Malicious File Detection alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| FireEye |
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified C2 communication over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry |
|
| Telemetry showed a connection over port 80 to 192.168.0.4 (C2 server).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed network connections over port 80 to 192.168.0.4 (C2 server) initiated from rundll32.exe.
[1]
[2]
[3]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed an outbound network connection from rundll32.exe to 192.168.0.4 (C2 server) over TCP port 80. The telemetry was tainted by the parent "Sponsor Process Established Network Connection" alert.
[1]
[2]
[3]
| |
| McAfee |
|
Telemetry |
|
| Telemetry showed connections over TCP port 80 to freegoogleadsenseinfo.com (C2 domain).
[1]
[2]
[3]
[4]
[5]
|
|
Enrichment |
|
| The capability enriched rundll32.exe (the process that made the network connection) with the correct ATT&CK Tactic (Command and Control) and the Technique (Commonly Used Port).
[1]
[2]
[3]
[4]
[5]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution sequence for rundll32.exe opening a connection to 192.186.0.4 (C2 server) over port 80. The telemetry was tainted by the relationship to the previous alert on unexpected behavior originating from rundll32.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed connections over TCP port 80 to freegoogleadsenseinfo.com (C2 domain).
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed a port 80 connection to 192.168.0.4 (C2 server) that was associated with the rundll32 parent process. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID).
[1]
[2]
[3]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed network connections over TCP port 80 as well as a modload showing winhttp.dll was loaded, which an analyst could use to determine HTTP was used.
[1]
[2]
[3]
| |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed a connection to 192.168.0.4 (C2 server) on port 80 (no detection showed HTTP specifically).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Cybereason |
|
Enrichment (Tainted) |

|
| The capability enriched rundll32.exe opening an unusual network connection to the C2 server over the port 80 "HTTP port.” The data was tagged with the correct ATT&CK Tactic (Command and Control) and Technique (Standard Application Layer Protocol), and also showed the amount of transmitted/received bytes as well as that the winhttp.dll module was loaded (which an analyst could use to determine HTTP was used). The data was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed a connection to port 80 (no detection showed HTTP specifically).
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
Telemetry |
|
| Telemetry showed HTTP GET requests over port 80 to 192.168.0.4 (C2 server).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified C2 communication over HTTP to www.freegoogleadsenseinfo.com (C2 domain).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed a trace of HTTP connections being made by rundll32.exe to freegoogleadsenseinfo.com (C2 domain).
[1]
[2]
[3]
[4]
[5]
| |
| GoSecure |
|
Telemetry |
|
| Telemetry showed an outbound HTTP request to www.freegoogleadsenseinfo.com (C2 domain).
[1]
[2]
[3]
[4]
| |
| McAfee |
|
Telemetry |
|
| Telemetry showed network connections over TCP port 80 and that winhttp.dll module was loaded into the same process (PID 6276) that made the network connection, which an analyst could use to determine HTTP was used.
[1]
[2]
[3]
[4]
[5]
| |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed a connection to port 80 (no detection showed HTTP specifically).
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed port 80 command and control traffic as well as the loading of winhttp.dll, which an analyst could use to determine HTTP was used.
[1]
[2]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed a connection to TCP port 80 (no detection showed HTTP specifically).
[1]
[2]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed separate network connections over port TCP port 80 and UDP port 53, which could indicate multiband communication.
[1]
[2]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed connections over both DNS and TCP port 80, which could indicate multiband communication. The DNS connections were tainted by a parent Exfiltration alert.
[1]
[2]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed the same rundll32.exe opening a connection over port 80 while making DNS queries to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Injected Shellcode alert listed as the owner process.
[1]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed connections over DNS as well as over port 80, which could indicate multiband communication. The telemetry was tainted by a parent Malicious File Detection alert.
[1]
[2]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified C2 communication over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain) in addition to the ongoing DNS C2.
[1]
[2]
|
|
Telemetry |
|
| Telemetry showed a combination of both DNS requests as well as HTTP requests, which could indicate multiband communication.
[1]
[2]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed rundll32.exe making network connections over port 80 to 192.168.0.4 (C2 server) as well as earlier identified DNS queries, which could indicate multiband communication.
[1]
[2]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed C2 traffic was over TCP port 80 as well as earlier traffic over DNS, which could indicate multiband communication. The HTTP telemetry over TCP port 80 was tainted by the parent "Sponsor Process Established Network Connection" alert.
[1]
[2]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed an execution sequence for rundll32.exe opening a connection to 192.168.0.4 (C2 server) over port 80, and prior activity showed DNS traffic to the same C2 IP address, which could indicate multiband communication. The port 80 telemetry was tainted by the relationship to the previous alert on unexpected behavior originating from rundll32.exe.
[1]
[2]
[3]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed command and control traffic for both ports 80 and 53 .
[1]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed port 80 connections to 192.168.0.4 (C2 server) and DNS requests for freegoogleadsenseinfo.com (C2 domain), which could indicate multiband communication. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID).
[1]
[2]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched the rdpclip.exe events with the correct ATT&CK Technique (Remote Desktop Protocol).
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry |
|
| Telemetry showed a connection to 10.0.0.5 (Conficker) over TCP port 3389 as well as rdpclip.exe executing.
[1]
[2]
[3]
[4]
[5]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed a connection for logon type 10 (interactive logon) and a connection to 10.0.0.5 (Conficker) over TCP port 3389.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because they identified suspicious communications over port 3389 (RDP) to other hosts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) with Remote Interactive Logon Type. The telemetry was tainted by a parent Injected Shellcode alert listed as the owner process Telemetry also showed rdpclip.exe executing on 10.0.0.5 (Conficker).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed a connection over port 3389 to 10.0.0.5 (Conficker) as well as a Type 10 (interactive remote) login event by user George on Conficker. The port 3389 telemetry was tainted by a parent Process Injection alert.
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched the RDP connection from rundll32.exe with an alert for RDP Network Connection (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1076 - Remote Desktop Protocol) and Tactic (Lateral Movement).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed rundll32.exe making network connections to 10.0.0.5 (Conficker) over port 3389.
[1]
[2]
[3]
| |
| GoSecure |
|
Telemetry |
|
| Telemetry also identified an inbound connection to Conficker over TCP port 3389.
[1]
[2]
[3]
[4]
|
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed cmd.exe creating an outbound TCP port 3389 (RDP) connection from Nimda and enriched the connection with the conditions Lateral Movement and Remote Share Access. The enrichment was tainted by the parent \"Windows command prompt invoked\" alert.
[1]
[2]
[3]
[4]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched rundll32.exe (the process that made the network connection) with the correct ATT&CK Tactic (Lateral Movement) and the Technique (Remote Desktop Protocol).
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry |
|
| Telemetry showed a connection to 10.0.0.5 (Conficker) over TCP port 3389.
[1]
[2]
[3]
[4]
[5]
| |
| Microsoft |
|
Telemetry |
|
| Telemetry showed the execution sequence for cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker). Logon activity over the last 30 days on Conficker shows George with a logon type 10 RemoteInteractive logon event. Telemetry also showed George logged into Conficker and displayed a movement graph of activity from user account Debbie to George.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker). The telemetry was tainted by a parent process injection alert on cmd.exe.
[1]
[2]
[3]
[4]
[5]
|
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for an unexpected process using the RDP port. The data was tainted by a parent process injection alert on cmd.exe.
[1]
[2]
[3]
[4]
[5]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe connecting to 10.0.0.5 (Conficker) over port 3389.
[1]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed a port 3389 connection. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID).
[1]
[2]
[3]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed Registry modification events related to the creation of the user account Jesse.
[1]
[2]
|
|
Enrichment (Configuration Change) |

|
| The capability enriched lsass.exe with the tag \"Create Accounts using GUI\".
[1]
[2]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed the creation of the user Jesse and the user being added to the domain admin group.
[1]
[2]
[3]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed lsass.exe creating a Registry key for user Jesse, indicating that the user is new.
[1]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| FireEye |
|
Telemetry |
|
| Telemetry from Conficker showed the creation of the new user Jesse.
[1]
[2]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified the creation of a local user account for Jesse on Conficker.
[1]
[2]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed the creation of the new user Jesse.
[1]
| |
| GoSecure |
|
Specific Behavior (Configuration Change) |

|
| A Specific Behavior alert named "New user account created" was generated based on the Registry change identifying that the new user Jesse was created. A child event of the alert indicated that the account had been added to the local admins group (but did not identify the account creation specifically).
[1]
[2]
| |
| McAfee |
|
Telemetry |
|
| Telemetry showed the creation of the user Jesse.
[1]
| |
| Microsoft |
|
Telemetry (Configuration Change) |

|
| Telemetry showed data for account Jesse creation after configuration change to enable collection of event ID 4720.
[1]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Create Account).
[1]
[2]
|
|
Telemetry |
|
| Telemetry showed mmc.exe creating a Registry key for user Jesse, indicating that the user is new.
[1]
[2]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
Telemetry |
|
| Telemetry showed the creation of the user Jesse which was noted from SAM Registry events.
[1]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
[1]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
[1]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
[1]
| |
| Endgame |
|
Telemetry |
|
| Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
[1]
| |
| FireEye |
|
Telemetry |
|
| Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
[1]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
[1]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in) (tainted by the parent "LSA Registry Key modified" alert).
[1]
| |
| McAfee |
|
Telemetry |
|
| Telemetry showed mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
[1]
| |
| Microsoft |
|
Telemetry |
|
| Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
[1]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Graphical User Interface).
[1]
[2]
|
|
Telemetry |
|
| Telemetry showed mmc.exe, the Microsoft Management Console, executing the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
[1]
[2]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed mmc.exe, the Microsoft Management Console, executing the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| Endgame |
|
Telemetry |
|
| Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| FireEye |
|
Telemetry |
|
| Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in), which displays local account information.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in), which displays local account information.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. The telemetry was tainted by the parent "LSA Registry Key modified" alert.
[1]
[2]
[3]
[4]
[5]
| |
| McAfee |
|
Telemetry |
|
| Telemetry showed mmc.exe, the Microsoft Management Console, executing the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in) as reconnaissance via the MMC utility with local users and groups view.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry |
|
| Telemetry showed mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed file modification events indicating updater.dll being created and written to disk.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed the file write for updater.dll into the system32 folder by user George. The telemetry was tainted by the parent \"unexpected process\" alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed the creation of updater.dll. Telemetry was tainted by a parent alert on cmd.exe (listed as the owner process) generated based on updater.dll being detected as known malware.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed the creation of updater.dll (tainted by the parent Malicious File Detection).
[1]
[2]
[3]
[4]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched updater.dll being written by cmd.exe with an alert for CMD File Write (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1105 - Remote File Copy) and a related ATT&CK Technique (T1059 - Command-Line Interface) and Tactic (Execution).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry (Tainted) |

|
| Telemetry showed the file write for updater.dll into the system32 folder. The telemetry was tainted by the parent AV signature alert for updater.dll.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| F-Secure |
|
Enrichment |
|
| The capability enriched the creation of updater.dll identifying that a command prompt modified an unknown DLL.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed creation of updater.dll. The telemetry was tainted by the parent "Powershell process created" alert.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| McAfee |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for a new dynamic library created in the Windows system (System32) folder.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for a new PE file created in the Windows system (System32) folder.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Palo Alto Networks |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for a Windows scripting engine creating an executable on disk.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for a script engine creating/writing a DLL in the system32 folder. The alert was tainted by a parent process injection alert on cmd.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry |
|
| Telemetry showed the file create event for updater.dll.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed file write of updater.dll.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed file write of updater.dll. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Carbon Black |
|
Specific Behavior |
|
| A Specific Behavior alert was generated mapped to the correct ATT&CK Technique (T1053 - Scheduled Task).
[1]
[2]
[3]
[4]
|
|
Telemetry |
|
| Telemetry showed the process tree containing schtasks.exe as well as the full command-line arguments.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed the creation of the scheduled task.
[1]
[2]
[3]
[4]
|
|
Specific Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a Specific Behavior was observed because a scheduled task was created for persistence.
[1]
[2]
[3]
[4]
|
|
General Behavior (Delayed, Tainted) |
 
|
| OverWatch generated a General Behavior alert indicating the creation of the scheduled task was suspicious. The process tree view showed the alert as tainted by a previous cmd.exe detection.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
Enrichment |
|
| The capability enriched schtasks.exe creating the Resume Viewer Update Checker scheduled task as reboot persistence and as SYSTEM. The data was also mapped to the correct ATT&CK Tactic (Persistence).
[1]
[2]
[3]
[4]
|
|
Telemetry |
|
| Telemetry showed the Resume Viewer Update Checker scheduled task.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched the event tree with the correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence) (tainted by parent Malicious File Detection alert).
[1]
[2]
[3]
[4]
[5]
|
|
Enrichment |
|
| The capability enriched data from a hunt for persistence via scheduled task, which showed the \"Resume Viewer Update Checker\" scheduled task.
[1]
[2]
[3]
[4]
[5]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert for "Persistence-Scheduled Task Creation" was generated (tainted by parent Malicious File Detection alert). The alert was also mapped to the correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence).
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry (Tainted) |

|
| Telemetry showing creation of the scheduled task data was also visible in a event tree (tainted by parent Malicious File Detection alert).
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that updater.dll persisted through the creation of a scheduled task.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| The capability enriched schtasks.exe with an alert for Scheduled Task Activity (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1053 - Scheduled Task) and Tactics (Execution, Persistence, and Privilege Escalation).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed cmd.exe registering the "Resume Viewer Update Checker" scheduled task.
[1]
[2]
| |
| GoSecure |
|
Specific Behavior |
|
| A Specific Behavior alert called "Schtasks with create command" was generated due to a schtasks.exe process create from cmd.exe.
[1]
[2]
|
|
Telemetry |
|
| Telemetry within the Schtasks alert showed a process creation of schtasks.exe from cmd.exe, and would be available in a separate view.
[1]
[2]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe creating the "Resume Viewer Update Checker" scheduled task via schtasks.exe. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
[3]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for a task being created that runs an executable (via rundll32) under system rights at Windows logon. The alert was tagged with the correct ATT&CK Tactics (Execution, Persistence, Privilege Escalation) and Technique (Scheduled Task).
[1]
[2]
[3]
| |
| Microsoft |
|
Specific Behavior (Delayed) |

|
| A delayed Specific Behavior alert was generated on a low-reputation DLL persisting through a scheduled task.
[1]
[2]
[3]
|
|
Telemetry |
|
| Telemetry showed cmd.exe registering the "Resume Viewer Update Checker" scheduled task.
[1]
[2]
[3]
| |
| Palo Alto Networks |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for the creation of a new scheduled task. The alert was tainted by a parent process injection alert on cmd.exe.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| The capability enriched schtasks.exe creating the Resume Viewer Update Checker scheduled task with the correct ATT&CK Technique (Scheduled Task).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for a commonly abused host process scheduling a task. The alert was tainted by a parent process injection alert on cmd.exe.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry (Tainted) |

|
| Telemetry showed schtasks.exe creating the Resume Viewer Update Checker scheduled task as reboot persistence and as SYSTEM. The telemetry was tainted by a parent process injection alert on cmd.exe.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed the execution of schtasks.exe as well as the full command-line arguments.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of schtasks.exe and associated command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed cmd.exe executing dir with command-line arguments.
[1]
[2]
[3]
[4]
|
|
Enrichment |
|
| The capability enriched cmd.exe with the correct ATT&CK Technique (T1083 - File and Directory Discovery).
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe running dir. The process tree view showed the cmd.exe process that ran dir as tainted by a prior detection.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Cybereason |
|
Enrichment (Tainted) |

|
| The capability enriched cmd.exe executing dir with command-line arguments with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery). The data was tainted by a parent Injected Shellcode alert.
[1]
[2]
|
|
Telemetry |
|
| Telemetry showed cmd.exe executing dir with command-line arguments.
[1]
[2]
| |
| Endgame |
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched dir with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery). The enrichment was also tainted by a parent Malicious File Detection.
[1]
[2]
[3]
[4]
|
|
Telemetry (Tainted) |

|
| Telemetry within an event tree (tainted by a parent Malicious File Detection) showed cmd.exe executing dir with command-line arguments.
[1]
[2]
[3]
[4]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched cmd.exe executing dir with an alert for Dir Command (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
| |
| F-Secure |
|
Enrichment |
|
| The capability enriched cmd.exe executing the dir command indicating that the parameter was a directory listing of a network drive associated with potential reconnaissance.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (cmd.exe running dir) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
General Behavior |
|
| A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing dir) which was identified as extremely rare and suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed that svchost.exe created cmd.exe, which executed dir. The telemetry was tainted by the parent \"Powershell process created\" alert.
[1]
[2]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing the dir command. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
[3]
[4]
|
|
Enrichment |
|
| The capability enriched cmd.exe executing the dir command with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery).
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution sequence for cmd.exe executing dir with command-line arguments. The telemetry was tainted by a prior alert on rundll32.exe being executed without command-line arguments.
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing dir with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment (Tainted) |

|
| The capability enriched cmd.exe executing dir with command-line arguments as the execution of the dir command on a network location. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment |
|
| A General Behavior alert was generated for a commonly abused process (cmd.exe) spawning out of rundll32.exe. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing dir with command-line arguments.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing dir with command-line arguments. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID).
[1]
[2]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed cmd.exe executing tree.com with command-line arguments.
[1]
[2]
[3]
[4]
|
|
Enrichment |
|
| The capability enriched tree.com with the correct ATT&CK Technique (T1083 - File and Directory Discovery).
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe running tree with command-line arguments. The process tree view also showed the cmd.exe that was the parent for tree.com as tainted by a prior detection.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
General Behavior (Delayed, Tainted) |
 
|
| OverWatch generated a General Behavior alert indicating tree.com was suspicious. The process tree view showed the alert as tainted by a previous cmd.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
General Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a General Behavior was identified because tree was one of the reconnaissance commands performed.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed cmd.exe executing tree with command-line arguments.
[1]
[2]
|
|
Enrichment (Tainted) |

|
| The capability enriched cmd.exe executing tree with command-line arguments with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery). The data was tainted by a parent Injected Shellcode alert.
[1]
[2]
| |
| Endgame |
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched tree with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery). The enrichment was also tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
|
|
Telemetry (Tainted) |

|
| Telemetry within an event tree (tainted by a parent Malicious File Detection) showed cmd.exe executing tree with command-line arguments.
[1]
[2]
[3]
[4]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched cmd.exe executing tree with an alert for Tree Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker performed a directory listing of the contents of Debbie's user profile directory.
[1]
[2]
[3]
[4]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (cmd.exe running tree) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
General Behavior |
|
| A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing tree) which was identified as extremely rare and suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Enrichment |
|
| The capability enriched cmd.exe executing the tree command with a tag identifying the command as enumeration.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed that svchost.exe created cmd.exe, which executed tree with command-line arguments. The telemetry was tainted by the parent \"Powershell process created\" alert.
[1]
[2]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing tree.exe. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
[3]
[4]
|
|
Enrichment |
|
| The capability enriched cmd.exe executing the tree.exe with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery).
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution sequence for cmd.exe executing tree.com with command-line arguments. The telemetry was tainted by a prior alert on rundll32.exe being executed without command-line arguments.
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched cmd.exe executing tree with command-line arguments with the correct ATT&CK Technique (File and Directory Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing tree with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing tree with command-line arguments.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing tree with command-line arguments. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID).
[1]
[2]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Enrichment (Tainted) |

|
| The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed explorer.exe injecting from a known beacon (does not detect input capture specifically).
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
None |
|
| No detection capability was available, though an alert was generated based on a chain of injections caused by process injection of powershell.exe to cmd.exe then explorer.exe. Data within the alert showed the loaded keyloggerx64.dll module, and additional data showed the memory address and size of the module within explorer.exe.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though strings were pulled from a Process Injection alert, which identified functionality of code to indicate keylogging, but no proof of execution was identified.
[1]
[2]
[3]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| F-Secure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed a remote thread being created from cmd.exe in explorer.exe. The vendor noted that if a user determined the process creation was suspicious, the user could manually kick off a DDNA scan from the Command-Line Interface (CLI) view by using the Process ID (PID).
[1]
[2]
[3]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure, though an alert indicated cmd.exe obtained a handle to the memory thread and injected code into explorer.exe.
[1]
| |
| Microsoft |
|
Specific Behavior (Delayed) |

|
| A delayed Specific Behavior alert was generated on "Possible keylogging activity" against explorer.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Telemetry (Configuration Change) |

|
| Telemetry showed events indicating "explorer.exe is reading user keystrokes."
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched the execution of a specific API call as keylogging and suspicious activity. Though it does not count as a detection, the capability also showed code and hook injections into explorer.exe.
[1]
[2]
[3]
[4]
[5]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure, though a floating code "IIOC" module alerted with a elevated risk score for DLL injection. An analyst could explore the module and observe the keylogger aggressor script, but this only showed that there is a potential capability of a keylogger, not that execution occurred.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed GetAsyncKeyStateApi, which was indicative of keylogging. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID).
[1]
[2]
[3]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| F-Secure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Palo Alto Networks |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure, though modloads showed the thumbnail com object masquerading followed by a modload of dwmapi.dll (Microsoft Desktop Windows Manager API) and then a crossprocess (open process) to the target application, which could be indicative of screen capture behavior.
[1]
| |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed explorer.exe injecting from a known beacon (does not detect screen capture specifically).
[1]
| |
| Cybereason |
|
None |
|
| No detection capability was available, though an alert was generated based on explorer.exe being flagged for loading a Meterpreter Agent. Data within a previous process injection alert showed the loaded screenshotx64.dll module.
[1]
[2]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though strings were pulled from a Process Injection alert, which identified functionality of code to indicate screen capture, but no proof of execution was identified.
[1]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| F-Secure |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed a remote thread being created from cmd.exe into explorer.exe. The vendor also noted that if a user determined the process creation was suspicious, the user could manually kick off a DDNA scan. DDNA results on this process reported "This module may capture screen shots," indicating the module has the capability to perform this.
[1]
[2]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Microsoft |
|
Enrichment (Configuration Change) |

|
| The capability enriched an explorer.exe process with ScreenshotTaken.
[1]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched the execution of a specific API call as information gathering using screen capture and suspicious activity.
[1]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure, though a floating code "IIOC" module alerted with a elevated risk score for DLL injection. An analyst could explore the module and observe multiple components related to jpegs, which may be related to screenshots, but does not show that execution occurred.
[1]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed a cross-process "open handle" event into explorer.exe, which could be indicative of process injection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed InjectedThread events for explorer.exe (pid=21776848613) injecting from cmd.exe (pid=21898821890), which is a known beacon.
[1]
[2]
[3]
[4]
[5]
| |
| Cybereason |
|
Specific Behavior |
|
| A Specific Behavior alert was generated based on a malicious code injection caused by process injection of explorer.exe. The alert was mapped with the correct ATT&CK Tactics (Defense Evasion, Privilege Escalation) and Technique (Process Injection) and indicated that explorer.exe was hosting injected threads and loading malicious files.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Endgame |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert for process injection was generated with cmd.exe as the source. The alert was tainted by parent Malicious File Detection and process injection alerts, and was also labeled with the correct ATT&CK Technique (T1055 - Process Injection) and Tactics (Defense Evasion and Execution).
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| F-Secure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| GoSecure |
|
Telemetry |
|
| Telemetry showed a remote thread being created from cmd.exe into explorer.exe, which could be indicative of process injection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| McAfee |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for code injection into explorer.exe. The alert was tagged with the correct ATT&CK Tactics (Defense Evasion, Privilege Escalation) and Technique (Process Injection) and was tainted by a trace detection on cmd.exe.
[1]
[2]
[3]
| |
| Microsoft |
|
Enrichment |
|
| The capability enriched the execution sequence for cmd.exe injecting into explorer.exe with the label \"Inject to process.\"
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched cmd.exe injecting into explorer.exe as code injection via CreateThread.
[1]
[2]
[3]
[4]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure, though a floating code "IIOC" module alerted with a elevated risk score for DLL injection. There was no telemetry available for the processes that were injected to verify its relation this procedure.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed the sequence of events related to process injection from powershell.exe into explorer.exe. The capability associated the process with the highest threat to the event (powershell.exe) instead of cmd.exe (the expected source of the injection) because it had an alert associated with it previously. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID).
[1]
[2]
[3]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed connection between Nimda (10.0.1.6) and the source of the file, Conficker (10.0.0.5), over port 445.
[1]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though file creation telemetry showed that the .vsdx file was created (no indication it was created from a shared drive).
[1]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| F-Secure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed a file read event for the .vsdx file from the network shared drive.
[1]
[2]
[3]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
Telemetry |
|
| Telemetry showed remote file access behavior for the .vsdx file from the network shared drive.
[1]
[2]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed connection between Nimda (10.0.1.6) and the source of the file, Conficker (10.0.0.5), over port 445.
[1]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure, though DNS requests for freegoogleadsenseinfo.com (C2 domain) were observed.
[1]
| |
| F-Secure |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Palo Alto Networks |
|
None |
|
| No detection capability demonstrated for this procedure, though port 53 network traffic to/from freegoogleadsenseinfo.com (C2 domain) was observed.
[1]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed cmd.exe executing autoupdate.bat from the Startup folder.
[1]
[2]
[3]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed cmd.exe running autoupdate.bat from the Startup folder.
[1]
[2]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed rundll32.exe executing autoupdate.bat from the Startup folder. The telemetry was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed the process chain for rundll32.exe execution of update.dat. The telemetry was tainted by the parent alert for \"RunDLL32 with Suspicious DLL Location.\"
[1]
[2]
[3]
| |
| FireEye |
|
Telemetry |
|
| Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that autoupdate.bat persisted due to its presence in the startup directory.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry (Tainted) |

|
| Telemetry showed rundll32.exe executing update.dll with command-line arguments. The telemetry was tainted by the parent alert for Rundll32 Execution (Weak Signal).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment |
|
| The capability enriched cmd.exe executing a file from Startup with an alert for Process Execution Startup. The alert was also tagged with the correct ATT&CK Technique (T1060 - Registry Run Keys / Startup Folder) and Tactic (Persistence).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| F-Secure |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for a batch file automatically being started from the Startup folder.
[1]
[2]
[3]
|
|
Telemetry |
|
| Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder.
[1]
[2]
[3]
| |
| GoSecure |
|
Telemetry |
|
| Telemetry showed cmd.exe starting rundll32.exe, which started update.dat, as well as cmd.exe executing autoupdate.bat from the Startup folder.
[1]
[2]
[3]
| |
| McAfee |
|
Telemetry |
|
| Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder, then update.dat via rundll32.exe.
[1]
[2]
| |
| Microsoft |
|
Telemetry |
|
| Telemetry showed the execution sequence of cmd.exe executing autoupdate.bat from the Startup folder to start update.dat.
[1]
[2]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder.
[1]
[2]
[3]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder.
[1]
[2]
| |
| SentinelOne |
|
Telemetry |
|
| Telemetry showed execution of autoupdate.bat from the Startup folder for persistence. The telemetry was associated to a new story (Group ID) but was not marked as malicious or tainted because it is not associated with an alert.
[1]
[2]
[3]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments \"-k netsvcs -p -s Schedule\".
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed rundll32.exe starting updater.dll. The telemetry was tainted by the parent OverWatch alert.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed rundll32.exe executing update.dat with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry within the event tree showed rundll32.exe executing updater.dll. The telemetry was tainted by a Malicious File Detection alert for updater.dll and a Process Injection alert.
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified the Resume Viewer Update Checker scheduled task executing updater.dll with rundll32.exe.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry (Tainted) |

|
| Telemetry showed svchost.exe executing rundll32.exe, which executed updater.dll. The telemetry was tainted by the parent Rundll32 Execution alert, which was tagged with a related ATT&CK Technique (T1085 - Rundll32) and Tactic (Defense Evasion, Execution), but did not include information on the use of a Scheduled Task specifically.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed rundll32.exe executing updater.dll.
[1]
[2]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed svchost.exe executing rundll32.exe, which executed updater.dll. The telemetry was tainted by the parent \"Sponsor process started V2\" alert.
[1]
[2]
| |
| McAfee |
|
Telemetry |
|
| Telemetry showed rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule".
[1]
[2]
[3]
| |
| Microsoft |
|
Telemetry |
|
| Telemetry showed the execution sequence for rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments \"-k netsvcs -p -s Schedule\".
[1]
[2]
[3]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed the execution sequence for rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule".
[1]
[2]
[3]
[4]
[5]
[6]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed rundll32.exe executing updater.dll.
[1]
[2]
| |
| SentinelOne |
|
Telemetry |
|
| Telemetry showed rundll32.exe executing updater.dll as part of the scheduled task persistence. The telemetry was associated with the execution of autoupdate.bat for persistence because it was associated with the same story (Group ID) but is not marked as malicious or tainted because it is not associated with an alert.
[1]
[2]
[3]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched rdpclip.exe with the correct ATT&CK Technique (Remote Desktop Protocol).
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry |
|
| Telemetry within the process tree showed rdpclip.exe execution by the user Jesse on the destination system of the RDP connection.
[1]
[2]
[3]
[4]
[5]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed a type 10 (interactive) UserLogon event for Jesse.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed the logon session for Jesse to Conficker (10.0.0.5) as a Remote Interactive Logon Type.
[1]
[2]
[3]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed that the userinit.exe process was running as the user Jesse, indicating Jesse logged in. The telemetry was tainted by the parent \"Start Folder Persistence\" alert.
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
Telemetry |
|
| Telemetry showed a Logon Type 10 (interactive) event for the account Jesse logging on to Conficker.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that the account Jesse was used to log in to Conficker as part of Lateral Movement.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed a remote interactive logon event for the account Jesse logging on to Conficker (10.0.0.5) over port 3389.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| GoSecure |
|
Telemetry |
|
| Telemetry showed that the explorer.exe process was running as the user Jesse, indicating the account exists.
[1]
[2]
[3]
[4]
| |
| McAfee |
|
Telemetry |
|
| Telemetry showed a remote interactive logon for Jesse to Conficker (10.0.0.5).
[1]
[2]
[3]
[4]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed userinit.exe as well as explorer.exe spawn as the user Jesse.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed \"unregmp2.exe /FirstLogon\" (associated with user logon) as well as the user name \"Jesse J\" within Machine Properties.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry |
|
| Telemetry showed the Jesse account had logged into the system.
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed rdpclip.exe execution by the user Jesse on the destination system of the RDP connection.
[1]
[2]
[3]
[4]
[5]
|
|
Enrichment |
|
| The capability enriched rdpclip.exe with the correct ATT&CK Technique (Remote Desktop Protocol).
[1]
[2]
[3]
[4]
[5]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed the remote connection to Conficker for a user logon by Jesse with type 10 (interactive) as well as the use of rdpclip.exe by the logged-on user.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior occurred because they observed suspicious communications over 3389 (RDP) to other hosts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed the logon session for Jesse to Conficker (10.0.0.5) as a Remote Interactive Logon Type. Telemetry also showed a connection over port 3389 to Conficker (10.0.0.5) through rundll32.exe serving as a proxy. The telemetry was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
Telemetry |
|
| Telemetry showed a Type 10 logon event (corresponding to interactive) for Jesse as well remote connections over port 3389 to 10.0.0.5 (Conficker).
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified the user account Jesse logged on to Conficker via Remote Desktop Protocol.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| The capability enriched a TCP port 3389 connection to 10.0.0.5 (Conficker) with the alert RDP Network Connection (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1076 - Remote Desktop Protocol) and Tactic (Lateral Movement).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed a Logon Type 10 (interactive) event for the account Jesse logging on to Conficker.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed a remote interactive logon event for the account Jesse logging on to Conficker (10.0.0.5) over port 3389.
[1]
[2]
[3]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability enriched a TCP port 3389 (RDP) connection to 10.0.0.5 (Conficker) with the conditions Lateral Movement and Remote Share Access. One connection event was tainted by the parent \"Windows command prompt invoked\" alert.
[1]
[2]
[3]
[4]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched the rundll32.exe that made the network connection with the correct ATT&CK Tactic (Lateral Movement) and Technique (Remote Desktop Protocol).
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry (Tainted) |

|
| Telemetry showed a remote interactive logon for Jesse to Conficker (10.0.0.5) as well as a connection to 10.0.0.5 (Conficker) over port 3389 from rundll32.exe. The telemetry was tainted by a trace detection on rundll32.exe
[1]
[2]
[3]
[4]
[5]
| |
| Microsoft |
|
Telemetry |
|
| Telemetry showed a successful connection to Conficker (10.0.0.5) over port 3389 from rundll32.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched the network connection over port 3389 with the correct ATT&CK Technique (Remote Desktop Protocol).
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry |
|
| Telemetry showed a successful incoming connection to Conficker (10.0.0.5) over port 3389.
[1]
[2]
[3]
[4]
[5]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry from Nimda showed a TCP port 3389 connection from 10.0.1.6 (Nimda) to 10.0.0.5 (Conficker). The rundll32.exe process (PID 184) that was used to load updater.dll was used to proxy the RDP connection to Conficker. The telemetry was tainted by the activity generated during the privilege escalation step because it was associated with the same story (Group ID).
[1]
[2]
[3]
| |
| Carbon Black |
|
Specific Behavior |
|
| A Specific Behavior Alert was generated indicating that powershell.exe was a suspicious child process of wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Telemetry |
|
| Telemetry of a process tree showed powershell.exe execution, including full command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated indicating that powershell.exe was executed with encoded command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Enrichment |
|
| The capability enriched wscript.exe and powershell.exe with the correct ATT&CK Techniques (T1063 - Scripting, T1086 - Powershell).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry within the OverWatch alert showed wscript.exe executing launcher.vbs, and would be available in a separate view.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
General Behavior (Delayed) |

|
| A General Behavior alert was generated from OverWatch indicating wscript.exe executing launcher.vbs was suspicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Specific Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a Specific Behavior was observed because a malicious script invoked by wscript was run by Bob on CodeRed and launched PowerShell.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated indicating "A PowerShell script launched that shares characteristics with known PowerShell exploit kits."
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe execution, including decoded full command-line arguments, as well as wscript.exe executing autoupdate.vbs. The telemetry was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for powershell.exe, labeled with Command and Control as well as Malicious use of PowerShell. The alert was tagged as a Obfuscated PowerShell payload and mapped to the correct ATT&CK Tactic (Execution) and Technique (PowerShell)
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed the process events associated with wscript.exe executing the autoupdate.vbs script (tainted by parent alert).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for "Windows Script Executing PowerShell" due to wscript.exe launching powershell.exe. The alert was mapped to the correct ATT&CK Technique (T1064 - Scripting) and Tactic (Execution).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated indicating that powershell.exe ran with unusual arguments due to the -enc and -noP command-line arguments. The alert was mapped to a related ATT&CK Technique (T1086 - PowerShell) and the correct Tactic (Execution).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| FireEye |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for Suspicious PowerShell Usage (Methodology) indicating powershell.exe ran with unusual arguments due to the -enc and -noP command-line arguments. The alert was mapped to a related ATT&CK Technique (T1086 - PowerShell) and the correct Tactic (Execution) and captured the encoded command.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Indicator of Compromise |
|
| An Indicator of Compromise alert was generated for EMPIRE RAT (Backdoor) based on a detected string specific to the backdoor. The alert was also mapped to a related ATT&CK Technique (T1086 - PowerShell).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Enrichment |
|
| The capability enriched wscript.exe with an alert for Wscript Execution (Weak Signal). The alert was tagged with the correct ATT&CK Technique (T1064 - Scripting) and Tactic (Execution).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| F-Secure |
|
Enrichment |
|
| The capability enriched wscript.exe executing powershell.exe with a tag indicating that wscript executed code.
[1]
[2]
[3]
[4]
[5]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for PowerShell executing a long, encoded command.
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry |
|
| Telemetry showed wscript.exe executing autoupdate.vbs and subsequently powershell.exe.
[1]
[2]
[3]
[4]
[5]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed wscript.exe executing autoupdate.vbs and that wscript.exe created a powershell.exe process, including the encoded command-line arguments (tainted by the parent Script File Created alert).
[1]
[2]
[3]
[4]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched powershell.exe with the correct ATT&CK Tactic (Execution) and Techniques (PowerShell) and a suspicious indicator that a PowerShell command was executed.
[1]
[2]
[3]
[4]
[5]
|
|
Enrichment |
|
| The capability enriched wscript.exe with the correct ATT&CK Tactics (Defense Evasion, Execution) and Techniques (Scripting, PowerShell) and a suspicious indicator that the VBScript interpreter was executed.
[1]
[2]
[3]
[4]
[5]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for PowerShell execution with a very long command line. The alert was tagged with correct ATT&CK Tactics (Defense Evasion, Execution) and Techniques (Scripting, PowerShell).
[1]
[2]
[3]
[4]
[5]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for the VBScript interpreter launching a suspicious PowerShell process. The alert was tagged with the correct ATT&CK Tactics (Defense Evasion, Execution) and Techniques (Scripting, PowerShell).
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry (Tainted) |

|
| Telemetry showed wscript.exe (executing autoupdate.vbs) then spawning powershell.exe. The telemetry was tainted by a trace detection on wscript.exe.
[1]
[2]
[3]
[4]
[5]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for decoding and running encoded scripting sources from another process (wscript.exe). The alert was tagged with correct ATT&CK Tactic (Defense Evasion, Execution) and Techniques (PowerShell).
[1]
[2]
[3]
[4]
[5]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for PowerShell commands being executed from another process (wscript.exe). The alert was tagged with correct ATT&CK Tactic (Execution) and Techniques (PowerShell).
[1]
[2]
[3]
[4]
[5]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed wscript.exe executing autoupdate.vbs and the subsequent PowerShell child process.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry |
|
| Telemetry showed wscript.exe executing autoupdate.vbs which then executed powershell.exe with an encoded PowerShell script.
[1]
[2]
[3]
[4]
|
|
General Behavior |
|
| A General Behavior alert was generated for the execution of autoupdate.vbs that was listed as an active threat.
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched backgroundtaskhost.exe and powershell.exe with the correct ATT&CK Technique (T1043 - Commonly Used Port).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed network connections, including over TCP port 443 to www.freegoogleadsenseinfo.com (C2 domain).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe making connection to 192.168.0.5 (C2 server) over port 443. The telemetry was tainted by an alert on its parent powershell.exe process.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe making an outgoing connection on TCP port 443 to 192.168.0.5 (C2 Server). Telemetry also showed decoded command-line arguments to perform a HTTPS connection to freegoogleadsenseinfo.com (C2 domain) over port 443. The telemetry was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Enrichment (Tainted) |

|
| The capability enriched powershell.exe as making a connection over a ”HTTP Port”. The data was tagged with the correct ATT&CK Technique (Commonly Used Port) and Tactic (Command and Control) and was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showing the decoded powershell.exe command-line arguments showed a connection over port 443 to www.freegoogleadsenseinfo.com (C2 domain) (tainted by parent alert).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert for "PowerShell Making Network Connections" was triggered due to powershell.exe making a connection over port 443. The alert was tainted by a parent alert and mapped to the correct ATT&CK Tactic (Command and Control).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| FireEye |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe communicating over TCP port 443. The telemetry was tainted by the parent PowerShell Network Connection alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified that the Empire backdoor communicated with 192.168.0.5 (C2 server) over port 443.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed a network connection over port 443 to www.freegoogleadsenseinfo.com (C2 domain).
[1]
[2]
[3]
| |
| GoSecure |
|
Telemetry |
|
| Telemetry showed powershell.exe creating an outbound connection to 192.168.0.5 (C2 server) over TCP port 443.
[1]
[2]
[3]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port) and a suspicious indicator that powershell.exe accessed a known TCP port.
[1]
[2]
[3]
[4]
[5]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for PowerShell sending and receiving information through port 443. The alert was tagged with the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port).
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry (Tainted) |

|
| Telemetry showed port 443 network connections to www.freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a trace detection on wscript.exe.
[1]
[2]
[3]
[4]
[5]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe checking an SSL certificate and then communicating to 192.168.0.5 (C2 server) over port 443 (tainted by relationship to alert on PowerShell script with suspicious content). Telemetry within an alert also showed decoded command-line arguments containing port 443.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed port 443 network connections to www.freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Enrichment (Tainted) |

|
| The capability enriched the port 443 network connection with the correct ATT&CK Technique (Commonly Used Port). The data was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
General Behavior (Tainted) |

|
| General Behavior alerts were generated for PowerShell making network connections to the internet as well as Wscript connecting to an external network. The alerts were tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection over port 443 and to letsencrypt.org (no protocol was identified for this traffic).
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed network connections to 192.168.0.5 (C2 server) over TCP port 443. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed modload events importing dynamic libraries usually used for HTTP and SSL communication (e.g. winhttp.dll), followed by a CRL check to a CA, indicating that HTTPS was likely used.
[1]
[2]
[3]
| |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over port 443 (no protocol was identified for this traffic).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed decoded command-line arguments to perform a HTTPS connection to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent PowerShell alert. Telemetry also showed that powershell.exe had an outgoing connection on port 443, identified as HTTP type traffic.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showing the decoded powershell.exe command-line arguments showed a connection to over HTTPS to www.freegoogleadsenseinfo.com (C2 domain) (tainted by parent alert). Telemetry also showed a connection to letsencrypt.org, which could indicate use of a cert for HTTPS.
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified that the Empire backdoor was configured to communicate with freegoogleadsenseinfo.com (C2 domain) over HTTPS.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed powershell.exe making a connection over port 443 to freegoogleadsenseinfo.com (C2 domain).
[1]
[2]
[3]
[4]
[5]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection over TCP port 443 (no protocol was identified for this traffic).
[1]
[2]
[3]
[4]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over port 443 (no protocol was identified for this traffic) and an alert than indicated that powershell.exe queried registered cryptographic provider libraries.
[1]
[2]
[3]
[4]
[5]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe checking an SSL certificate and then communicating to 192.168.0.5 (C2 server) over an encrypted channel (tainted by relationship to alert on PowerShell script with suspicious content). Telemetry within an alert showed decoded command-line arguments to perform HTTPS connection to C2 domain.
[1]
[2]
[3]
[4]
[5]
|
|
Indicator of Compromise (Configuration Change) |

|
| An Indicator of Compromise alert was generated on the C2 domain.
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed powershell.exe making a connection over port 443 to freegoogleadsenseinfo.com (C2 domain).
[1]
[2]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed modload events importing dynamic libraries usually used for HTTP and SSL communication (e.g. winhttp.dll), followed by a CRL check to a CA, indicating that HTTPS was likely used.
[1]
| |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over port 443 (no protocol was identified for this traffic).
[1]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed that powershell.exe had an outgoing connection on port 443, identified as HTTP type traffic. Telemetry also showed decoded command-line arguments to perform a HTTPS connection to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent PowerShell alert.
[1]
[2]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showing the decoded powershell.exe command-line arguments showed a connection to over HTTPS to www.freegoogleadsenseinfo.com (C2 domain) (tainted by parent alert). Telemetry also showed a connection to letsencrypt.org, which could indicate use of a cert for HTTPS.
[1]
[2]
| |
| FireEye |
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified that the Empire backdoor was configured to communicate with freegoogleadsenseinfo.com (C2 domain) over HTTPS.
[1]
| |
| F-Secure |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for PowerShell downloading a significant amount of data using HTTP(S).
[1]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection over TCP port 443 (no protocol was identified for this traffic).
[1]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over port 443 (no protocol was identified for this traffic) and an alert than indicated that powershell.exe queried registered cryptographic provider libraries.
[1]
[2]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe checking an SSL certificate and then communicating to 192.168.0.5 (C2 server) over an encrypted channel (tainted by relationship to alert on PowerShell script with suspicious content). Telemetry within an alert showed decoded command-line arguments to perform HTTPS connection to C2 domain.
[1]
[2]
| |
| Palo Alto Networks |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection over port 443 and to letsencrypt.org (no protocol was identified for this traffic).
[1]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed powershell.exe executing route.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a General Behavior was observed because route print was part of the basic reconnaissance activity performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing route.exe with command-line arguments. The process tree view showed route.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed route.exe executing with command-line arguments. The telemetry was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched route.exe with an alert for Route Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
|
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified route.exe as a reconnaissance command used.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
| |
| GoSecure |
|
Enrichment (Tainted) |

|
| The capability showed powershell.exe executing route.exe with command-line arguments and enriched the command with the conditions Reconnaissance Tool and Route Spawned with Reconnaissance. The enrichment was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched route.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that routing tables were viewed or manipulated.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing route.exe. The telemetry was tainted by a trace detection on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution sequence for powershell.exe executing route.exe with command-line arguments. The telemetry was tainted by previous "Suspicious sequence of exploration activities" and suspicious PowerShell cmdlet alerts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed powershell.exe executing route.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing route.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched ipconfig.exe with the correct ATT&CK Technique (T1049 - System Network Configuration Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry |
|
| Telemetry within the process tree showed powershell.exe executing ipconfig.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments. The process tree view showed ipconfig.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
General Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a General Behavior was observed because ipconfig was part of the basic reconnaissance activity performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| Cybereason |
|
Enrichment (Tainted) |

|
| The capability enriched ipconfig.exe executing with command-line arguments with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery). The data was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed ipconfig.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| FireEye |
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified ipconfig.exe as a reconnaissance command used.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
|
|
Enrichment |
|
| The capability enriched ipconfig.exe with an alert for Ipconfig Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed powershell.exe executing ipconfig.exe with command-line arguments and enriched the command with the condition Ipconfig All Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing ipconfig.exe. The telemetry was tainted by a trace detection on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution sequence for powershell.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by previous "Suspicious sequence of exploration activities" and suspicious PowerShell cmdlet alerts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched whoami.exe with the correct ATT&CK Technique (T1033 - System Owner/User Discovery).
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry |
|
| Telemetry within the process tree showed powershell.exe executing whoami.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry within the OverWatch alert showed powershell.exe executing whoami.exe with command-line arguments, and would be available in a separate view.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
General Behavior (Delayed, Tainted) |
 
|
| OverWatch generated a General Behavior alert indicating whoami.exe with command-line arguments was suspicious. The process tree view showed whoami.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
General Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a General Behavior was observed because whoami was part of the basic reconnaissance activity performed.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed whoami.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
|
|
Enrichment (Tainted) |

|
| The capability enriched whoami.exe executing as Reconnaissance and the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery). The data was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched whoami.exe with the correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing whoami.exe with command-line arguments (tainted by parent PowerShell alerts).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| FireEye |
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified whoami.exe as a reconnaissance command used.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Enrichment |
|
| The capability enriched whoami.exe with an alert for Whoami Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (whoami) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Enrichment |
|
| The capability enriched powershell.exe executing whoami.exe indicating a sign of reconnaissance before privilege escalation.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry |
|
| Telemetry showed powershell.exe executing whoami.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed powershell.exe executing whoami.exe with command-line arguments and enriched the command with the condition Whoami Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
[2]
[3]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing whoami.exe. The telemetry was tainted by a trace detection on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Enrichment |
|
| The capability enriched whomai.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Owner / User Discovery) and a suspicious indicator that the name of the logged user was discovered.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution sequence for powershell.exe executing whoami.exe with command-line arguments. The telemetry was tainted by previous \"Suspicious sequence of exploration activities\" and suspicious PowerShell cmdlet alerts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing whoami.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed powershell.exe executing whoami.exe with command-line arguments.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing whoami.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched qprocess.exe with the correct ATT&CK Technique (Process Discovery).
[1]
[2]
[3]
[4]
|
|
Telemetry |
|
| Telemetry within the process tree showed powershell.exe executing qprocess.exe with command-line arguments.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a General Behavior was observed because qprocess was part of the basic reconnaissance activity performed performed.
[1]
[2]
[3]
[4]
[5]
|
|
General Behavior (Delayed, Tainted) |
 
|
| OverWatch generated a General Behavior alert indicating qprocess.exe with command-line arguments was suspicious. The process tree view showed qprocess.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry |
|
| Telemetry within the OverWatch alert showed execution of qprocess.exe with command-line arguments, and would be available in a separate view.
[1]
[2]
[3]
[4]
[5]
| |
| Cybereason |
|
Enrichment (Tainted) |

|
| The capability enriched qprocess.exe executing as Reconnaissance and Local process discovery as well as the correct ATT&CK Technique (Process Discovery) and Tactic (Discovery). The data was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
|
|
Telemetry |
|
| Telemetry showed qprocess.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing qprocess.exe with command-line arguments (tainted by parent PowerShell alerts).
[1]
[2]
[3]
[4]
| |
| FireEye |
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified qprocess.exe as a reconnaissance command used.
[1]
[2]
[3]
[4]
[5]
|
|
Enrichment |
|
| The capability enriched qprocess.exe with an alert for Qprocess Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1057 - Process Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed powershelll.exe executing qprocess.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (qprocess) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| The capability enriched qprocess.exe as listing running processes and possibly a sign of reconnaissance.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing qprocess.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
[2]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing qprocess.exe. The telemetry was tainted by a trace detection on wscript.exe.
[1]
[2]
[3]
[4]
[5]
|
|
Enrichment |
|
| The capability enriched qprocess.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that software running on a system was queried.
[1]
[2]
[3]
[4]
[5]
|
|
Enrichment |
|
| The capability enriched qprocess.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (Process Discovery) and a suspicious indicator that QPROCESS was used to check active processes.
[1]
[2]
[3]
[4]
[5]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution sequence for powershell.exe executing qprocess.exe with command-line arguments. The telemetry was tainted by previous \"Suspicious sequence of exploration activities\" and suspicious PowerShell cmdlet alerts.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing qprocess.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment |
|
| The capability enriched qprocess.exe executing with a related ATT&CK Technique (System Service Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment (Tainted) |

|
| The capability enriched the execution of qprocess.exe as the enumeration of running processes via the command line. The data was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed powershell.exe executing qprocess.exe with command-line arguments.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing qprocess.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe and net1.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because net start was part of the basic reconnaissance activity performed performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed net.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (System Services Discovery). The alert was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| FireEye |
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net Start Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows services were manipulated via sc.exe/net.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
General Behavior |
|
| A General Behavior alert was generated for net or sc command executed through PowerShell. The alert was tagged with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed process execution of powershell.exe. The powershell.exe process loaded several non-default dynamically loaded libraries that may indicate the functionality may be used by the PowerShell script.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| CrowdStrike |
|
Specific Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating they identified a Specific Behavior for an unidentified PowerShell script running.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed the PowerShell script (.ps1) being written to the temp folder.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Specific Behavior (Delayed) |

|
| The OverWatch team generated a Specific Behavior alert indicating the PowerShell script was malicious.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Cybereason |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for a malicious command, which was identified as the Invoke-WinEnum function. The alert also identified the PowerShell commands as suspicious and were tagged with the correct ATT&CK Technique (PowerShell) and Tactic (Execution). The alert was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry (Tainted) |

|
| Telemetry showed the PowerShell Script module (.psm1) being written to the temp folder. The telemetry was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed the creation of the PowerShell Process (tainted by parent PowerShell alerts).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for "PowerShell with Unusual Arguments" that coincided with the execution of WinEnum (tainted by parent PowerShell alerts). The alert also identified a related ATT&CK Technique (T1086 - PowerShell) and Tactic (Execution). From the alert, the Interactive Shell was used to analyze the PowerShell script and the function Invoke-WinEnum was observed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that a PowerShell command was run from the Empire process.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Enrichment |
|
| The capability enriched powershell.exe with an alert for PowerShell Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1086 - PowerShell).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function.
[1]
[2]
[3]
[4]
[5]
| |
| GoSecure |
|
Telemetry |
|
| Telemetry showed powershell.exe connecting to the domain controller 10.0.0.4 (Creeper), which coincided with the execution of WinEnum.
[1]
[2]
[3]
[4]
| |
| McAfee |
|
Telemetry |
|
| Telemetry showed the PowerShell script (.ps1) being written to the temp folder, indicating the execution of a PowerShell script.
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing with command-line arguments as well as PowerShell module (.psm) and script (.ps1) files being written to disk. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for PowerShell execution with base64 encoded commands. The alert was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
|
|
Indicator of Compromise |
|
| An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire WinEnum.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed PowerShell running and a PowerShell script being written to disk that coincided with the execution of WinEnum.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of a PowerShell script with follow-on enumeration activity that coincided with the execution of the WinEnum module. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Get-UserInfo was observed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of user information.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| Palo Alto Networks |
|
Indicator of Compromise |
|
| An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire UserInfo.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed powershell.exe connecting to the domain controller. This could indicate AD group information was being obtained, but this was not directly detected. The vendor indicated the capability sees the start of a PowerShell connection, but would not see additional commands after that start.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Password Last changed was observed.
[1]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| F-Secure |
|
Telemetry |
|
| Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of password policy information.
[1]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Palo Alto Networks |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Last 5 files opened was observed.
[1]
[2]
[3]
[4]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of recently opened files.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched powershell.exe executing with command-line arguments as suspicious and the correct ATT&CK Technique (File and Directory Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Interesting Files was observed.
[1]
[2]
[3]
[4]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of interesting files.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched powershell.exe executing with command-line arguments as suspicious and the correct ATT&CK Technique (File and Directory Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed execution of an encoded PowerShell command and OverWatch alerted on it as suspicious. The PowerShell decoded to Windows.Clipboard(...) outside of the capability, which indicated clipboard interaction, but this was not counted as a detection because it was external to the capability.
[1]
[2]
[3]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed the decoded powershell.exe function to gather clipboard data. The telemetry was tainted by a parent PowerShell alert..
[1]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed the creation of a PowerShell sub-process and decoded the command within the capability to show Windows.Clipboard (tainted by parent PowerShell alerts). Though it does not count as part of the detection, the Interactive Shell could also be used to analyze the PowerShell execution and WinEnum Clipboard Contents was observed.
[1]
[2]
| |
| FireEye |
|
Indicator of Compromise (Delayed) |

|
| The Managed Defense Report indicated an Indicator of Compromise detection occurred because it identified that the attacker executed the Windows Clipboard capability in Empire. The capability separately showed a PowerShell Execution (Weak Signal) alert containing the encoded PowerShell command. This command could be decoded, but this was not counted as a separate detection because it was external to the capability.
[1]
[2]
[3]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of clipboard contents.
[1]
[2]
|
|
Indicator of Compromise |
|
| An Indicator of Compromise alert was generated for PowerShell Empire accessing the clipboard.
[1]
[2]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed execution of an encoded PowerShell command. The PowerShell decoded to Windows.Clipboard(...) outside of the capability, which indicated clipboard interaction, but this was not counted as a detection because it was external to the capability.
[1]
| |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Clipboard Data).
[1]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry from decoded PowerShell (within the capability) showed the Get-Sysinfo function.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Get-SysInfo was observed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of system information.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Palo Alto Networks |
|
Indicator of Compromise |
|
| An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire SysImfo.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing WMI queries that indicated operating system information was queried. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Windows Last Updated was observed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of Windows update information.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Get-SysInfo was observed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of system information via a Registry query.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Enrichment (Tainted) |

|
| The capability enriched the enumeration of system information via a Registry query as suspicious. The data was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
Indicator of Compromise |
|
| An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire SysImfo.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Available Shares was observed.
[1]
[2]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| F-Secure |
|
Telemetry |
|
| Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of available shares.
[1]
[2]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Discovery).
[1]
[2]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Mapped Network Drives was observed.
[1]
[2]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| F-Secure |
|
Telemetry |
|
| Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of mapped network drives.
[1]
[2]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Discovery).
[1]
[2]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing WMI queries that indicated logical disk information was queried. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum AV Solution was observed.
[1]
[2]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| F-Secure |
|
Telemetry |
|
| Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of AV solutions.
[1]
[2]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed an event log for the WMI query of the system AV products.
[1]
[2]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
Enrichment (Tainted) |

|
| The capability enriched powershell.exe activity with the action \"attempted to find other installed security software.\" The enrichment was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing WMI queries that indicated antivirus product information was queried. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Firewall Rules was observed.
[1]
[2]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| F-Secure |
|
Telemetry |
|
| Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of firewall rules.
[1]
[2]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Security Software Discovery).
[1]
[2]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Get-NetInfo-Network Adapters was observed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing WMI queries that indicated network adapter and configuration information was queried. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed netstat.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Enrichment |
|
| The capability enriched netstat.exe with the correct ATT&CK Technique (System Network Connections Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing netstat.exe with command-line arguments. The process tree view showed netstat.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Cybereason |
|
Enrichment (Tainted) |

|
| The capability enriched netstat.exe executing as Reconnaissance and the correct ATT&CK Technique (System Network Connections Discovery). The data was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed netstat.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Endgame |
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched netstat.exe with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry (Tainted) |

|
| An event tree from the suspicious PowerShell process showed a netstat subprocess that was created by WinEnum (tainted by parent PowerShell alerts). Though it does not count as part of the detection, the Interactive Shell could also be used to analyze the PowerShell execution and WinEnum Get-NetInfo-Network Adapters was observed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| FireEye |
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified netstat.exe as a reconnaissance command used.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment |
|
| The capability enriched netstat.exe with an alert for Netstat Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connection Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of established network connections.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing netstat.exe. The telemetry was tainted by a trace detection on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Microsoft |
|
General Behavior (Delayed) |

|
| A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities".
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
Telemetry (Tainted) |

|
| Telemetry showed invocation of the PowerShell cmdlet Get-NetInfo and subsequent execution of netstat.exe with command-line arguments from powershell.exe. The telemetry was tainted by a prior suspicious PowerShell cmdlet alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (System Network Connections Discovery).
[1]
[2]
[3]
[4]
[5]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed powershell.exe executing netstat.exe with command-line arguments.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing netstat.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Permission Groups Discovery). The alert was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
|
|
Telemetry |
|
| Telemetry showed net.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed net.exe executing with command-line arguments (tainted by parent PowerShell alerts).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
|
|
Enrichment (Tainted) |

|
| An alert for Enumeration of Administrator Account provided enrichment to the net group command (tainted by parent PowerShell alerts). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
|
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched net.exe with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Domain Admins Reconnaissance Command and Net Group Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of domain admins.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed net.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
|
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Permission Groups Discovery). The alert was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched net.exe with a related ATT&CK Technique (T1069 - Permission Groups Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry |
|
| Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because net user was part of additional malicious discovery performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Cybereason |
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Account Discovery). The alert was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry |
|
| Telemetry showed net.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| Endgame |
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched the event with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry (Tainted) |

|
| Telemetry showed net.exe executing with command-line arguments (tainted by parent PowerShell alerts).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used to capture information about local users.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (net.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| GoSecure |
|
Enrichment (Tainted) |

|
| The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Enrichment |
|
| The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Account Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment |
|
| The capability enriched net.exe with a related ATT&CK Technique (T1069 - Permission Groups Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because net user was part of additional malicious discovery performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed net.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Account Discovery). The alert was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed net.exe executing with command-line arguments (tainted by parent PowerShell alerts).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched the event with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (net.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry |
|
| Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| GoSecure |
|
Enrichment (Tainted) |

|
| The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
[2]
[3]
[4]
[5]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Account Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed a process tree containing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| The capability enriched net.exe with a related ATT&CK Technique (Account Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| CrowdStrike |
|
Enrichment (Tainted) |

|
| The capability enriched net.exe with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The process tree view showed the enrichment was tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because net group was part of additional malicious discovery performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry (Tainted) |

|
| Telemetry showed net.exe executing with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| Cybereason |
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Remote System Discovery). The alert was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed net.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched net.exe with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery). The enrichment was tainted by a parent alert.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry (Tainted) |

|
| Telemetry showed net.exe executing with command-line arguments (tainted by parent alert).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| FireEye |
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1018 - Remote System Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
[2]
[3]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information of domain computers and controllers.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Microsoft |
|
General Behavior (Delayed) |

|
| A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities".
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Telemetry (Tainted) |

|
| Telemetry showed execution of net.exe with command-line arguments (tainted by parent PowerShell malicious cmdlet alert).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Enrichment (Tainted) |

|
| The capability enriched the execution of net.exe and net1.exe as an enumeration command. The data was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed execution of net.exe with command-line arguments.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of net.exe with command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Telemetry |
|
| The vendor demonstrated to MITRE that the capability can provide telemetry of net.exe, but no screenshot was captured for this procedure.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Enrichment |
|
| The capability enriched net.exe with a related ATT&CK Technique (Account Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because net use was part of additional malicious discovery performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Telemetry (Tainted) |

|
| Telemetry showed net.exe executing with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Cybereason |
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (System Network Connections Discovery). The alert was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed net.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of net.exe with command-line arguments (tainted by parent alert).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was triggered for enumerating Windows network admin shares as part of Discovery (tainted by parent alert).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched net.exe with the correct ATT&CK Technique (T1049 - System Network Connections Discovery), a related ATT&CK Technique (Remote System Discovery), and the correct Tactic (Discovery). The enrichment was tainted by a parent alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net Use Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of net.exe with command-line arguments (tainted by the parent Script File Created alert).
[1]
[2]
[3]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed execution of net.exe with command-line arguments.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of net.exe with command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched net.exe data with the correct ATT&CK Technique (T1049 - System Network Connections Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Telemetry |
|
| Telemetry showed a process tree containing netstat.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because netstat was part of additional malicious discovery performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Telemetry (Tainted) |

|
| Telemetry showed netstat.exe executing with command-line arguments. The process tree view showed netstat.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Cybereason |
|
Enrichment (Tainted) |

|
| The capability enriched netstat.exe executing as Reconnaissance and the correct ATT&CK Technique (System Network Connections Discovery). The data was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed netstat.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Endgame |
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched netstat.exe data with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery) (tainted by parent alert).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry (Tainted) |

|
| Telemetry showed execution of netstat.exe with command-line arguments (tainted by parent alert).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| FireEye |
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified netstat.exe as a reconnaissance command used.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment |
|
| The capability enriched netstat.exe with an alert for Netstat Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (netstat) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed powershell.exe executing netstat.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of netstat.exe with command-line arguments (tainted by the parent Script File Created alert).
[1]
[2]
[3]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched netstat.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Connections Discovery) and a suspicious indicator that the network protocol statistics were gathered.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing netstat.exe. The telemetry was tainted by a trace detection on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing netstat with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure due to event suppression (previously detected).
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of netstat.exe with command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched reg.exe data with the correct ATT&CK Technique (Query Registry).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed a process tree containing reg.exe with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a General Behavior was observed because reg query was part of additional malicious discovery performed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry (Tainted) |

|
| Telemetry showed reg.exe executing with command-line arguments. The process tree view showed reg.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
General Behavior (Delayed, Tainted) |
 
|
| OverWatch generated a General Behavior alert identifying reg.exe execution as suspicious. The alert was tainted by a parent powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed reg.exe executing with command-line arguments. The telemetry was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
| |
| Endgame |
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery) (tainted by parent alert).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry (Tainted) |

|
| Telemetry showed execution of reg.exe with command-line arguments (tainted by parent alert).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified reg.exe as a reconnaissance command used.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of reg.exe with command-line arguments (tainted by the parent Script File Created alert).
[1]
[2]
[3]
[4]
[5]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that reg.exe utility queried the Registry.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing reg.exe. The telemetry was tainted by a trace detection on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of reg.exe with command-line arguments (tainted by suspicious sequence of exploration activities alert).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed execution of reg.exe with command-line arguments.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of reg.exe with command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| CrowdStrike |
|
Specific Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a Specific Behavior was observed because a base64 obfuscated PowerShell command was used to invoke UAC bypass.
[1]
[2]
[3]
[4]
|
|
Telemetry |
|
| Telemetry showed an integrity level change through a query for powershell.exe processes of high integrity (12288/0x3000) that were created by medium integrity processes (8192/0x2000), which is indicative of bypassing UAC. Telemetry also showed the Invoke-BypassUACTokenManipulation function in the script.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed an integrity level change from medium to high for powershell.exe, which is indicative of bypass UAC. The telemetry was tainted by a parent Malicious use of PowerShell alert.
[1]
[2]
[3]
[4]
[5]
| |
| Endgame |
|
Telemetry |
|
| Telemetry showed a mismatch between the logon id (authentication id) of parent (powershell.exe - 312288) and child (powershell.exe - 10184789) processes indicating that a different token was used. Though no screenshot for this data is available, this information can be used to trace back to the logon event for that logon id to display the process integrity level indicative of the elevated token used for bypass UAC.
[1]
[2]
[3]
| |
| FireEye |
|
Telemetry (Configuration Change) |

|
| Telemetry showed execution of powershell.exe as a high integrity process as SYSTEM with a token login ID previously associated with user Bob, which indicates UAC bypassing.
[1]
[2]
[3]
[4]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed an elevated PowerShell spawned under the context of user Bob from an unelevated parent process.
[1]
[2]
[3]
|
|
General Behavior |
|
| A General Behavior alert was generated for a possible PowerShell privilege escalation based on the elevation of a child process from a non-elevated parent.
[1]
[2]
[3]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure, though an alert called "PowerShell executed encoded commands" triggered due to svchost.exe creating powershell.exe with the -enc command-line argument.
[1]
[2]
[3]
| |
| McAfee |
|
Telemetry |
|
| Telemetry showed an integrity level change from medium (2) to high (3) for powershell.exe, which is indicative of bypass UAC.
[1]
[2]
[3]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for a possible UAC bypass. The alert was tagged with the correct ATT&CK Technique (Bypass User Account Control) and Tactics (Defense Evasion, Privilege Escalation).
[1]
[2]
[3]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of powershell.exe executing "Invoke-BypassUACTokenManipulation" Empire cmdlet under the context of user Bob with medium integrity level, execution of svchost.exe with seclogon flag to use impersonation service with new high integrity powershell.exe process as SYSTEM, and subsequent context adjustment of powershell.exe to user Bob (tainted by the parent alert for suspicious sequence of exploration activities).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed a process integrity level change from parent powershell.exe (medium / 8192) to child powershell.exe (high / 12288).
[1]
[2]
[3]
[4]
|
|
Indicator of Compromise |
|
| An Indicator of Compromise alert was generated identifying a PowerShell Empire script performing the bypass UAC attack.
[1]
[2]
[3]
[4]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed process integrity levels changing from medium to high (tainted by parent alert).
[1]
| |
| Carbon Black |
|
Telemetry |
|
| The vendor demonstrated to MITRE that the capability can provide telemetry of network connections and file modifications indicating a Remote File Copy, but no screenshot was captured for this procedure.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
Specific Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a Specific Behavior was observed because PowerShell retrieved the file wdbypass from www.freegoogleadsenseinfo.com (C2 domain) over port 8080.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Cybereason |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated based on the downloading and execution of wdbypass, identified as Fileless malware, from freegoogleadsenseinfo.com (C2 domain) over port 8080. The alert also showed decoded PowerShell commands extracted from the command-line arguments showing a connection over port 8080 with a HTTP request to download the wdbypass payload. The alert was tainted by a parent PowerShell alert
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Endgame |
|
Telemetry |
|
| Telemetry showing decoded PowerShell telemetry extracted from the command-line arguments showed a connection over port 8080 with a HTTP request to download wdbypass payload.
[1]
[2]
[3]
[4]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched a HTTP GET request for wdbypass with an alert for PowerShell URL Request (Weak Signal). The alert also was also tagged with the correct ATT&CK Technique (T1105 - Remote File Copy) and Tactic (Command and Control).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for PowerShell downloading a significant amount of data using HTTP(S).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass (tainted by the parent "Powershell executed encoded commands" alert).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed network connection to 192.168.0.5 (C2 server) over port 8080 as well as decoded PowerShell making a connection over port 8080 with a HTTP request to download wdbypass payload. (tainted by alert on suspicious PowerShell command-line arguments).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Palo Alto Networks |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080.
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Cybereason |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for powershell.exe executed as a PowerShell downloader. The alert was tagged with the correct ATT&CK Tactic (Command and Control) and the Technique (Standard Application Layer Protocol). Data also showed decoded PowerShell commands extracted from the command-line arguments showing a connection over port 8080 with a HTTP request to download the wdbypass payload. The alert was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Endgame |
|
Telemetry |
|
| Telemetry showing decoded PowerShell telemetry extracted from the command-line arguments showed a connection over port 8080 with a HTTP request to download wdbypass payload.
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched a HTTP GET request with an alert for PowerShell URL Request (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1071 - Standard Application Layer Protocol) and Tactic (Command and Control).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass.
[1]
[2]
[3]
[4]
[5]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass (tainted by the parent "Powershell executed encoded commands" alert).
[1]
[2]
[3]
[4]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080.
[1]
[2]
[3]
[4]
[5]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed a decoded PowerShell script invoked that created a web request to the C2 server with related data showing the connection was made (tainted by alert on suspicious PowerShell command-line arguments).
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080.
[1]
[2]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080.
[1]
[2]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed network connection to 192.168.0.5 (C2 server) over TCP port 8080.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed a network connection event to 192.168.0.5 (C2 server) on TCP port 8080 that was associated with the encoded PowerShell IEX command.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for powershell.exe executed as a PowerShell downloader. The alert was tagged with the correct ATT&CK Tactic (Command and Control) and the Technique (Commonly Used Port). Data also showed decoded PowerShell commands extracted from the command-line arguments showing a connection over port 8080 with a HTTP request to download the wdbypass payload. The alert was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed powershell.exe making a network connection over port 8080.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
General Behavior |
|
| A General Behavior alert for Command and Control was triggered because of PowerShell making a connection over TCP port 8080.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showing decoded PowerShell telemetry extracted from the command-line arguments showed a connection over port 8080 with a HTTP request to download wdbypass payload.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| FireEye |
|
Telemetry (Tainted) |

|
| Telemetry showed a connection to freegoogleadsenseinfo.com (C2 domain) over TCP port 8080. The telemetry was tainted by the parent PowerShell URL Request (Weak Signal) alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified that the Empire instance communicated with freegoogleadsenseinfo.com (C2 domain) over port 8080.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass.
[1]
[2]
[3]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass (tainted by the parent "Powershell executed encoded commands" alert).
[1]
[2]
[3]
| |
| McAfee |
|
Telemetry |
|
| Telemetry showed a network connection to 192.168.0.5 (C2 server) over TCP port 8080.
[1]
[2]
[3]
[4]
[5]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed a connection to 192.168.0.5 (C2 server) on port 8080 was made (tainted by alert on suspicious PowerShell command-line arguments).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed an outgoing network connection to www.freegoogleadsenseinfo.com (C2 domain) over port 8080.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed network connection to 192.168.0.5 (C2 server) over port 8080. Though it does not count as a detection, telemetry also showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed network connections over port 8080. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched the events with a tag titled \"PowerShell Input Capture -keylogger\" based on known modloads that could be potentially abused to provide keylogger functionality.
[1]
[2]
|
|
Telemetry |
|
| Telemetry showed modloads associated with the execution of a keylogger.
[1]
[2]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed the decoded PowerShell script, which displayed the function Get-Keystrokes.
[1]
[2]
[3]
[4]
|
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a Specific Behavior was identified because they observed the adversary logging keystrokes based on the GetKeystrokes PowerShell function.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
Indicator of Compromise |
|
| An Indicator of Compromise alert was generated based on the execution of a malicious command in PowerShell named Get-Keystrokes.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed modloads associated with the execution of a keylogger.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though the capability pulled PowerShell Script Block logs from the host to show the execution of Get-KeyStrokes.
[1]
[2]
[3]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure, though the capability detected PowerShell activity during the time of the keylogging.
[1]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed powershell.exe executing the GetAsyncKeyState method, indicating keylogging.
[1]
[2]
|
|
Enrichment |
|
| The capability enriched powershell.exe with a tag indicating .NET keylogging.
[1]
[2]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe making API calls consistent with keylogger behavior. Telemetry also showed execution of Get-Keystrokes Empire PowerShell cmdlet (tainted by alert on PowerShell script with suspicious content).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Specific Behavior (Delayed) |

|
| A delayed Specific Behavior alert was generated on keylogging activity in powershell.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched the execution of a specific API call as keylogging and suspicious activity.
[1]
[2]
[3]
[4]
[5]
|
|
Indicator of Compromise |
|
| An Indicator of Compromise alert was generated identifying a PowerShell Empire script logging keys pressed, time, and the active window.
[1]
[2]
[3]
[4]
[5]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| SentinelOne |
|
Enrichment (Tainted) |

|
| The capability enriched data collected as keylogging behavior that was not visible through the standard interface during the evaluation.
[1]
[2]
[3]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed the decoded PowerShell script, which displayed the API call GetForegroundWindow to enumerate the active window.
[1]
| |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| F-Secure |
|
Telemetry |
|
| Telemetry showed powershell.exe executing the GetForegroundWindow method.
[1]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Palo Alto Networks |
|
Indicator of Compromise |
|
| An Indicator of Compromise alert was generated identifying a PowerShell Empire script logging keys pressed, time, and the active window.
[1]
[2]
|
|
Telemetry |
|
| Telemetry showed the decoded PowerShell script, which includes the API call GetForegroundWindow to enumerate the active window.
[1]
[2]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| CrowdStrike |
|
Specific Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because IT_tasks.txt was retrieved from a network share as a file of interest.
[1]
[2]
[3]
|
|
Telemetry |
|
| Telemetry showed a file read event for IT_tasks.txt by powershell.exe as well as a FsPostOpen event indicating IT_tasks.txt was opened.
[1]
[2]
[3]
| |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| F-Secure |
|
Telemetry |
|
| Telemetry showed powershell.exe executing the Get-Content cmdlet on IT_tasks.txt.
[1]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry was available that showed execution of Get-Content PowerShell cmdlet. Data does not show what file the cmdlet was executed on.
[1]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed a file read event for IT_tasks.txt.
[1]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Carbon Black |
|
Enrichment (Configuration Change) |

|
| The capability enriched individual net.exe events with tagging titled \"Credential Access using Admin Shares - Failed Attempts\".
[1]
[2]
[3]
[4]
|
|
Telemetry |
|
| Telemetry showed a process tree containing repeated logon attempts via net.exe and command-line arguments indicative of password spraying.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally using several accounts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
General Behavior (Delayed, Tainted) |
 
|
| OverWatch generated General Behavior alerts indicating the net use commands were suspicious. The alerts were tainted by a parent powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying, including details that the logons were for local admin (type 6) and that they failed.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed net.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment (Tainted) |

|
| The capability enriched net.exe execution with a related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) in addition to labeling net.exe as having a High Internal Outgoing Embryonic Connection Rate (meaning 25% of the internal network connections did not receive a response). The data was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Endgame |
|
Enrichment (Tainted) |

|
| The capability enriched each individual net.exe logon attempt with a tag titled Lateral Movement via \"Mounting Hidden Shares\" (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry (Tainted) |

|
| Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
[5]
|
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched net.exe connection events with a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
Telemetry (Configuration Change) |

|
| Telemetry showed the logon failure from Kmitnick by searching for Windows Security Log Event ID 4625.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
General Behavior (Delayed) |

|
| The Managed Defense Report indicated a General Behavior occurred because it identified that the attacker attempted to access systems using four accounts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Enrichment |
|
| The capability enriched repeated logon attempts via net.exe with an alert for Net Use Command Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1077 - Windows Admin Share) and Tactic (Lateral Movement). The four events were included under the same alert and each of the passwords were redacted by the capability.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| F-Secure |
|
Enrichment |
|
| The capability enriched multiple occurrences of net.exe usage as indicative of brute forcing a remote system as well as the correct ATT&CK Technique ID (Brute Force).
[1]
[2]
|
|
Telemetry |
|
| Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying.
[1]
[2]
| |
| GoSecure |
|
Enrichment (Tainted) |

|
| The capability enriched each individual net.exe logon attempt with the condition \"Net User Reconnaissance Command\". The enrichment was tainted by the parent \"Powershell executed remote commands\" alert.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing repeated logon attempts via net.exe. The telemetry was tainted by a trace detection on powershell.exe.
[1]
[2]
[3]
[4]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for powershell.exe performing a potential brute force password hack via the net utility.
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
Specific Behavior (Delayed) |

|
| A delayed Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Telemetry (Tainted) |

|
| Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed failed authorization attempts due to bad passwords as indicated by a fallback request over WebDAV to port 80 on the C2 server, but did not indicate the two failed access attempts on Morris and Conficker that were due to the accounts having insufficient access on the systems.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Palo Alto Networks |
|
General Behavior |
|
| A General Behavior alert was generated for sensitive administrative shares mapping with unexpected parent.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry (Tainted) |

|
| Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource.
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed a process tree containing repeated logon attempts via net.exe targeting ADMIN$.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior |
|
| Specific Behavior alerts titled "Windows Admin Shares - Lateral Movement" were generated for credential accesses specifically targeting admin shares.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed repeated logon attempts via net.exe with command-line arguments targeting ADMIN$ shares on the machines 10.0.1.4 (Morris) and 10.0.1.6 (Nimda).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
General Behavior (Delayed, Tainted) |
 
|
| OverWatch generated General Behavior alerts indicating the net use commands attempting logon to ADMIN$ shares were suspicious. The alerts were tainted by a parent powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
General Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally to access resources on the network.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed net.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for net.exe attempting to mount an administrative share. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) in addition to labeling net.exe as having a High Internal Outgoing Embryonic Connection Rate (meaning 25% of the internal network connections did not receive a response). The alert was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched net.exe connection events with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry (Tainted) |

|
| Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was triggered for each individual net.exe connection with a tag titled Lateral Movement via "Mounting Hidden Shares" (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net Use Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement). The four events were included under the same alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Specific Behavior |
|
| Specific Behavior alerts were generated for net.exe connecting to a remote administrative share.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| GoSecure |
|
Enrichment (Tainted) |

|
| The capability enriched individual net.exe logon attempts targeting ADMIN$ with the condition \"Net User Reconnaissance Command\". The enrichment was tainted by the parent \"Powershell executed remote commands\" alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing repeated logon attempts targeting ADMIN$ via net.exe. The telemetry was tainted by a trace detection on powershell.exe.
[1]
[2]
[3]
[4]
[5]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed repeated logon attempts to ADMIN$ via net.exe with command-line arguments (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed failed authorization attempts due to bad passwords as indicated by a fallback request over WebDAV to port 80 on the C2 server, but did not indicate the two failed access attempts on Morris and Conficker that were due to the accounts having insufficient access on the systems.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Specific Behavior (Delayed) |

|
| A delayed Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for a net.exe logon attempt to ADMIN$. The alert was tagged with the correct ATT&CK Technique (Windows Admin Shares).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource.
[1]
[2]
[3]
[4]
[5]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed a process tree containing a successful logon via net.exe.
[1]
[2]
[3]
[4]
[5]
| |
| CrowdStrike |
|
General Behavior (Delayed, Tainted) |
 
|
| OverWatch generated a General Behavior alert indicating the successful net use connection was suspicious. The alert was tainted by a parent powershell.exe detection.
[1]
[2]
[3]
[4]
|
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick (following multiple failed net use attempts). The telemetry was tainted by a parent powershell.exe detection.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed net.exe executing with command-line arguments.
[1]
[2]
[3]
|
|
Enrichment (Tainted) |

|
| The capability enriched a logon attempt via net.exe, using the valid credentials of user Kmitnick, with a related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) in addition to labeling net.exe as having a High Internal Outgoing Embryonic Connection Rate (meaning 25% of the internal network connections did not receive a response). The data was tainted by a parent PowerShell alert.
[1]
[2]
[3]
| |
| Endgame |
|
Enrichment (Tainted) |

|
| The capability enriched the net.exe connection using valid credentials for Kmitnick with a tag titled Lateral Movement via \"Mounting Hidden Shares\" (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe and command-line arguments using valid credentials for user Kmitnick (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
[5]
|
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched net.exe connection events with a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched a logon attempt via net.exe using valid credentials for user Kmitnick with an alert for Net Use Command Execution (Weak Signal). The password for Kmitnick was redacted within the capability.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed the successful logon for the user Kmitnick.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick. Telemetry also showed a logon event for user Kmitnick on Conficker (10.0.0.5).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick. The telemetry was tainted by the parent "Powershell executed remote commands" alert. Telemetry also showed explorer.exe (as the user Bob) write a PIPE on Conficker, which could indicate to an analyst that the share had been successfully mounted.
[1]
[2]
[3]
[4]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe with command-line arguments to login using the valid credentials of user Kmitnick. The telemetry was tainted by a trace detection on powershell.exe. Telemetry also showed a login event on Conficker (10.0.0.5) for user Kmitnick.
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick (tainted by parent alert on PowerShell script with suspicious content). Telemetry showed Kmitnick login event on 10.0.0.5 (Conficker) and that 10.0.1.5 (CodeRed) accessed resources on 10.0.0.5 (Conficker).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched an lsass.exe event with the correct ATT&CK Technique (Valid Accounts).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry (Tainted) |

|
| Telemetry showed a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) using valid credentials for user Kmitnick followed by an event for the credentials being validated by the DC. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed a logon attempt via net.exe and command-line arguments using valid credentials of user Kmitnick.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt using valid credentials of user Kmitnick via net.exe and command-line arguments (tainted by relationship to threat story). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource.
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed a process tree containing repeated logon attempts via net.exe targeting ADMIN$, eventually resulting in a successful logon.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior |
|
| Specific Behavior alerts were generated mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) for successful logons.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally to access resources on the network.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe with command-line arguments to connect to ADMIN$ on 10.0.0.5 (Conficker) as the user Kmitnick (following multiple failed net use attempts). The telemetry was tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
General Behavior (Delayed, Tainted) |
 
|
| OverWatch generated a General Behavior alert indicating the successful net use connection to ADMIN$ was suspicious. The alert was tainted by a parent powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed net.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for net.exe attempting to mount an administrative share. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) in addition to labeling net.exe as having a High Internal Outgoing Embryonic Connection Rate (meaning 25% of the internal network connections did not receive a response). The alert was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched net.exe connection events with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was triggered for each individual net.exe connection with a tag titled Lateral Movement via "Mounting Hidden Shares" (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry (Tainted) |

|
| Telemetry showed logon attempt targeting ADMIN$ via net.exe and command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched a logon attempt via net.exe with an alert for Net Use Command Execution (Weak Signal). The alert details showed net.exe with command-line arguments targeting ADMIN$ using valid credentials for user Kmitnick. The alert was also tagged with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker accessed Conficker by mounting the ADMIN$ share.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| F-Secure |
|
Specific Behavior |
|
| Specific Behavior alerts were generated for net.exe connecting to a remote administrative share.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe with command-line arguments targeting ADMIN$ using valid credentials for user Kmitnick. Telemetry also showed explorer.exe (as the user Bob) write a PIPE on Conficker, which could indicate to an analyst that the share had been successfully mounted (tainted by the parent FileExts Registry Key modified alert).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe to ADMIN$ with command-line arguments to login using the valid credentials of user Kmitnick. The telemetry was tainted by a trace detection on powershell.exe.
[1]
[2]
[3]
[4]
[5]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for the net utility executed to authenticate to a remote admin share with valid accounts. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares).
[1]
[2]
[3]
[4]
[5]
| |
| Microsoft |
|
Specific Behavior (Delayed) |

|
| A delayed Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe with command-line arguments targeting ADMIN$ using valid credentials for user Kmitnick (tainted by parent alert on PowerShell script with suspicious content).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) as local Kmitnick. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed a logon attempt via net.exe and command-line arguments targeting ADMIN$ via net.exe and command-line arguments.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe and command-line arguments targeting ADMIN$ via net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource.
[1]
[2]
[3]
[4]
[5]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed a process tree containing repeated logon attempts via net.exe and command-line arguments indicative of password spraying, eventually resulting in a successful logon.
[1]
[2]
[3]
[4]
|
|
Enrichment (Configuration Change) |

|
| The capability enriched individual net.exe events with tagging titled \"Credential Access using Admin Shares - Failed Attempts\" for failures as well as a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) for successful logons.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally using several accounts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
General Behavior (Delayed, Tainted) |
 
|
| OverWatch generated a General Behavior alert indicating the successful net use connection was suspicious. The alert was tainted by a parent powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry (Tainted) |

|
| Telemetry showed net.exe executing with command-line arguments to connect as the user Kmitnick (following multiple failed net use attempts). The telemetry was tainted by a parent powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Cybereason |
|
Enrichment (Tainted) |

|
| The capability enriched net.exe execution with a related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) in addition to labeling net.exe as having a High Internal Outgoing Embryonic Connection Rate (meaning 25% of the internal network connections did not receive a response). The data was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed net.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Endgame |
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched net.exe connection events with a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement).
[1]
[2]
[3]
[4]
[5]
|
|
Enrichment (Tainted) |

|
| The capability enriched each individual net.exe connection with a tag titled Lateral Movement via \"Mounting Hidden Shares\" (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry (Tainted) |

|
| Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying, eventually resulting in a successful logon (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched net.exe with an alert for Net Use Command Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed the successful logon for the user Kmitnick.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| F-Secure |
|
Enrichment |
|
| The capability enriched multiple occurrences of net.exe usage as indicative of brute forcing a remote system as well as the correct ATT&CK Technique ID (Brute Force).
[1]
[2]
|
|
Telemetry |
|
| Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick.
[1]
[2]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry also showed explorer.exe (as the user Bob) write a PIPE on Conficker, which could indicate to an analyst that the share had been successfully mounted (tainted by the parent FileExts Registry Key modified alert).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment (Tainted) |

|
| The capability enriched a net.exe logon attempt targeting ADMIN$ with the condition \"Net User Reconnaissance Command\". The enrichment was tainted by the parent \"Powershell executed remote commands\" alert.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| McAfee |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for powershell.exe performing a potential brute force password hack via the net utility.
[1]
[2]
[3]
[4]
|
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe with command-line arguments to login using the valid credentials of user Kmitnick. The telemetry was tainted by a trace detection on powershell.exe.
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying, eventually resulting in a successful logon (tainted by parent alert on PowerShell script with suspicious content).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Specific Behavior (Delayed) |

|
| A Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) as local user Kmitnick followed by an event for the credentials being validated by the DC. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying, eventually resulting in a successful logon.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying, eventually resulting in a successful logon. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource.
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed a process tree containing net.exe and command-line arguments.
[1]
[2]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated indicating that a connected network share was removed.
[1]
[2]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because the user Bob removed an artifact for the ADMIN$ share.
[1]
[2]
|
|
Telemetry (Tainted) |

|
| Telemetry showed net.exe executing with command-line arguments. The telemetry was tainted by a previous powershell.exe detection.
[1]
[2]
| |
| Cybereason |
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was tainted by a parent PowerShell alert.
[1]
|
|
Telemetry |
|
| Telemetry showed net.exe executing with command-line arguments.
[1]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed a event tree containing net.exe and command-line arguments (tainted by parent PowerShell alert).
[1]
| |
| FireEye |
|
Telemetry |
|
| Telemetry showed net.exe executing with command-line arguments.
[1]
[2]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker unmounted the share from CodeRed.
[1]
[2]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry |
|
| Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed net.exe executing with command-line arguments (tainted by the parent "Powershell executed remote commands" alert).
[1]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on powershell.exe.
[1]
[2]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for the net utility removing a shared connection via PowerShell. The alert was tagged with the correct ATT&CK Tactic (Defense Evasion) and Technique (Network Share Connection Removal).
[1]
[2]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed net.exe with command-line arguments (tainted by parent alert on PowerShell script with suspicious content).
[1]
[2]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
|
|
Enrichment |
|
| The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Connection Removal).
[1]
[2]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed net.exe execution and command-line arguments.
[1]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed a process tree containing a logon attempt via net.exe and command-line arguments targeting C$ using valid account credentials.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior |
|
| Specific Behavior alerts were generated mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) for successful logons.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally to access resources on the network.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe with command-line arguments to the C$ share on 10.0.0.4 (Creeper) as the user Kmitnick. The telemetry was tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Cybereason |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for net.exe attempting to mount an administrative share. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares). The alert was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed net.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was triggered for each individual net.exe connection with a tag titled Lateral Movement via "Mounting Hidden Shares" (tainted by parent PowerShell alert). The alert was also tagged with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) .
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry (Tainted) |

|
| Telemetry showed logon attempt targeting C$ via net.exe and command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched net.exe connection events with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker mounted the C$ drive on creeper with the kmitnick account.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Enrichment |
|
| The capability enriched net1.exe with an alert for Net Use Command Execution (Weak Signal). The alert also was tagged with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on powershell.exe.
[1]
[2]
[3]
[4]
[5]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for the net utility executed to authenticate to a remote admin share with valid accounts. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares).
[1]
[2]
[3]
[4]
[5]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ using valid credentials for user Kmitnick (tainted by parent alert on PowerShell script with suspicious content).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed a net.exe logon attempt to C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed a logon attempt via net.exe and command-line arguments targeting C$ via net.exe and command-line arguments.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe and command-line arguments targeting C$ via net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed a process tree containing a logon attempt via net.exe and command-line arguments using valid account credentials.
[1]
[2]
[3]
[4]
[5]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe with command-line arguments to the C$ share on Creeper as the user Kmitnick. The process tree view showed net.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was tainted by a parent PowerShell alert.
[1]
[2]
[3]
|
|
Telemetry |
|
| Telemetry showed net.exe executing with command-line arguments.
[1]
[2]
[3]
| |
| Endgame |
|
Enrichment (Tainted) |

|
| The capability enriched the net.exe connection (using valid credentials for Kmitnick) with a tag titled Lateral Movement via \"Mounting Hidden Shares\" (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
[5]
|
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched net.exe connection events with a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe and command-line arguments using valid credentials for user Kmitnick (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker mounted the C$ drive on creeper with the kmitnick account.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| The capability enriched a logon attempt via net1.exe using valid credentials for user Kmitnick with an alert for Net Use Command Execution (Weak Signal). The password for the user Kmitnick was redacted by the capability.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| F-Secure |
|
Enrichment |
|
| The capability enriched the net.exe connection using valid credentials of Kmitnick with an alert for possible lateral movement.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick. Telemetry also showed a logon event for user Kmitnick on Creeper (10.0.0.4).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick.
[1]
[2]
[3]
[4]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on powershell.exe.
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed that the logon event for Kmitnick on Creeper was successful.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed a net.exe logon attempt to C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick followed by a event for a successful login. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed a process tree containing a logon attempt via net.exe and command-line arguments using valid credentials of user Kmitnick.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed a logon attempt via net.exe and command-line arguments using valid credentials of user Kmitnick. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed filemods showing the creation and writing to autoupdate.vbs.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because a .vbs was written to the filesystem, which was likely used to carry out additional actions.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry (Tainted) |

|
| Telemetry showed File Write and New Script Write events for autoupdate.vbs under powershell.exe. The telemetry was tainted by a previous detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed the file write of autoupdate.vbs. The telemetry was tainted by a parent PowerShell alert listed as the owner process.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed creation of autoupdate.vbs (tainted by parent PowerShell alert).
[1]
[2]
[3]
[4]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched powershell.exe writing autoupdate.vbs with an alert for PowerShell File Write (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1105 - Remote File Copy) and Tactics (Command and Control, Lateral Movement).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe creating autoupdate.vbs (tainted by parent Powershell executed remote commands alerts) .
[1]
[2]
[3]
[4]
[5]
[6]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Remote File Copy) and a suspicious indicator that a file was copied to a remote computer via PowerShell.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed the creation of autoupdate.vbs on Code Red (10.0.1.5).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe creating autoupdate.vbs (tainted by parent alert on PowerShell script with suspicious content).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed file write of autoupdate.vbs.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed creation and file write events for autoupdate.vbs. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed a process tree with cmd.exe execution and associated user context change.
[1]
[2]
[3]
|
|
Enrichment |
|
| The capability enriched cmd.exe event data with the correct ATT&CK Technique (T1059 - Command-Line Interface).
[1]
[2]
[3]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed a new cmd.exe process running wscript.exe as user Kmitnick, which then launched powershell.exe. The command line arguments for cmd.exe showed that autoupdate.vbs was run. The telemetry was tainted by a previous detection.
[1]
[2]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing autoupdate.vbs though wscript.exe. The telemetry was tainted by a parent PowerShell alert based on a malicious Invoke-RunAs command.
[1]
[2]
| |
| Endgame |
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched the execution of autoupdate.vbs with a related ATT&CK Technique (T1064 - Scripting) and Tactic (Execution). (tainted by parent PowerShell alert).
[1]
[2]
[3]
|
|
Enrichment (Tainted) |

|
| The capability enriched events related to cmd.exe launching PowerShell via wscript.exe running autoupdate.vbs (tainted by parent PowerShell alert).
[1]
[2]
[3]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe execution and associated user context change (tainted by parent PowerShell alert).
[1]
[2]
[3]
| |
| FireEye |
|
Telemetry |
|
| Telemetry showed cmd.exe executing autoupdate.vbs with a parent process of powershell.exe.
[1]
[2]
|
|
Enrichment |
|
| The capability enriched cmd.exe spawning wscript.exe with an alert for Wscript Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1059 - Command-Line Interface) and Tactic (Execution). Alert details showed that the context of the user was changed to Kmitnick.
[1]
[2]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (cmd.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry |
|
| Telemetry showed cmd.exe executing autoupdate.vbs through wscript.exe, and the associated user context change between user Bob and user Kmitnick.
[1]
[2]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed svchost.exe creating cmd.exe, which ran autoupdate.vbs as user Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert).
[1]
[2]
[3]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched wscript.exe executing autoupdate.vbs with the correct ATT&CK Tactic (Execution) and Technique (Command Line Interface).
[1]
[2]
|
|
Telemetry |
|
| Telemetry showed cmd.exe executing autoupdate.vbs as user Kmitnick.
[1]
[2]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing autoupdate.vbs via wscript.exe as user Kmitnick. The execution generated three new PowerShell related alerts for the initial execution sequence of Empire that tainted this event, but were not counted as separate detections for this technique.
[1]
[2]
[3]
[4]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched wscript.exe executing autoupdate.vbs with a related ATT&CK Technique (Scripting).
[1]
[2]
[3]
|
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing autoupdate.vbs. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
|
|
Indicator of Compromise |
|
| An Indicator of Compromise Alert was generated identify PowerShell Empire using the Runas functionality.
[1]
[2]
[3]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed cmd.exe executing autoupdate.vbs via wscript.exe as user Kmitnick
[1]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe execution of autoupdate.vbs. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed filemods showing the creation and writing to update.vbs on remote host 10.0.0.4 (Creeper).
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed update.vbs written to the C$ remote share on host 10.0.0.4 (Creeper).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed file events for the write of update.vbs to Creeper (10.0.0.4). The telemetry was tainted by a parent PowerShell alert listed as the owner process.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Endgame |
|
Telemetry |
|
| Telemetry for file creation events was available, and would show the creation of update.vbs. No screenshot for the event was made available, though other file creation events, as well as the subsequent execution of update.vbs was identified.
[1]
[2]
[3]
[4]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified the autoupdate.vbs script being written to Creeper.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Enrichment |
|
| The capability enriched powershell.exe writing update.vbs with an alert for File Write to Network Share (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1105 - Remote File Copy) and Tactic (Lateral Movement).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability enriched the update.vbs creation event with the condition \"File created on hidden share (C$)\". The enrichment was tainted by parent \"Powershell executed remote commands\" alerts.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Remote File Copy) and a suspicious indicator that a file was copied to a remote computer via PowerShell.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry |
|
| Telemetry showed the creation of update.vbs on Creeper (10.0.0.4).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed creation of update.vbs on 10.0.0.4 (Creeper) and the remote file copy action from 10.0.1.5 (CodeRed) (the remote file copy event on CodeRed was tainted by parent PowerShell alerts).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed file create and write events for update.vbs.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for a script being modified/moved to a remote location. The alert was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed creation of update.vbs on 10.0.0.4 (Creeper). The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed execution of sc.exe with command-line arguments to remotely query services on Creeper. Telemetry also showed module loads and a network connection to Creeper (10.0.0.4).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Enrichment |
|
| The capability enriched the sc.exe execution with the correct ATT&CK Technique (System Service Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of sc.exe to query services on Creeper. The process tree view showed sc.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
Specific Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a Specific Behavior was observed because the user Bob was querying for a particular service on Creeper.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed sc.exe execution with command-line arguments. The telemetry was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed sc.exe execution to query services on Creeper. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched sc.exe with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed powershell.exe executing sc.exe to remotely query services on Creeper and enriched sc.exe with enriched with the condition SC Query Reconnaissance Command. The enrichment was tainted by the parent \"Powershell executed remote commands\" alert.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed execution of sc.exe to query services on 10.0.0.4 (Creeper).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of sc.exe to query services on Creeper. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Carbon Black |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for sc.exe execution to create the AdobeUpdater service with the correct ATT&CK Technique (New Service).
[1]
[2]
|
|
Telemetry |
|
| Telemetry within the process tree showed execution of sc.exe with command-line arguments to create a new AdobeUpdater service containing a binPath pointed to cmd.exe with arguments to execute update.vbs.
[1]
[2]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating they observed a General Behavior because newly created file (AdobeUpdater service in registry) established persistence on the host.
[1]
[2]
[3]
|
|
Telemetry (Tainted) |

|
| Telemetry showed sc.exe executing with command-line arguments for a new service called AdobeUpdater with binPath pointed to cmd.exe with arguments to execute update.vbs and service description \"Synchronize with Adobe for security updates.\" The process tree view showed sc.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed sc.exe executing with command-line arguments.
[1]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for the unconventional creation of a new service with the correct ATT&CK Technique (New Service) and Tactic (Persistence, Privilege Escalation). The alert was tainted by a parent PowerShell alert.
[1]
| |
| Endgame |
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched sc.exe with the correct ATT&CK Technique (T1050 - New Service) and Tactic (Persistence). The enrichment was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated on the AdobeUpdater service named "Persistence-New Service". The alert was also tagged with the correct ATT&CK Technique (T1050 - New Service) and Tactic (Persistence).
[1]
[2]
|
|
Telemetry (Tainted) |

|
| Telemetry showed sc.exe execution to create the AdobeUpdater service and set the binPath to run cmd.exe with an argument to execute update.vbs. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1050 - New Service) and Tactic (Persistence).
[1]
[2]
[3]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it observed the sc.exe command creating a new service called adobeupdater on Creeper from CodeRed.
[1]
[2]
[3]
| |
| F-Secure |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for sc.exe used with parameters typical for lateral movement.
[1]
[2]
[3]
|
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
|
|
Telemetry |
|
| Telemetry showed sc.exe execution with command-line arguments.
[1]
[2]
[3]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing sc.exe to create a new service named AdobeUpdater with binPath pointed to cmd.exe with arguments to run update.vbs and suspicious service description. The telemetry was tainted by the parent \"Powershell executed remote commands alert\".
[1]
[2]
|
|
Specific Behavior (Configuration Change) |

|
| An alert called "Windows Service Registry Key modified" and a Specific Behavior alert called "New Windows service created" were generated due to the AdobeUpdater service being created in the Registry.
[1]
[2]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched sc.exe with a relevant ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that a Windows service was manipulated via sc.exe/net.exe tool.
[1]
[2]
[3]
|
|
Telemetry (Tainted) |

|
| Telemetry showed that a new service was added. Telemetry also showed powershell.exe executing sc.exe. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
[3]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry from CodeRed showed sc.exe execution to remotely create the AdobeUpdater service with a binPath set to run cmd.exe with an argument to execute update.vbs on Creeper (tainted by parent alert on PowerShell script with suspicious content). Telemetry from Creeper shows the registry keys that were changed to add the new service
[1]
[2]
[3]
[4]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for the suspicious service registration of AdobeUpdater.
[1]
[2]
[3]
[4]
| |
| Palo Alto Networks |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for a new service created via the command line. The alert was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
|
|
Enrichment |
|
| The capability enriched sc.exe executing with the correct ATT&CK Technique (New Service).
[1]
[2]
[3]
[4]
|
|
Telemetry (Tainted) |

|
| Telemetry showed execution of sc.exe with command-line arguments to create a new AdobeUpdater service containing a binPath pointed to cmd.exe with arguments to execute update.vbs. Telemetry also showed the creation of Registry keys associated with this new service. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed execution of sc.exe to create a new service called AdobeUpdater with a binPath set to run cmd.exe and execute update.vbs.
[1]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of sc.exe to create the AdobeUpdater service on Creeper with a binPath pointing to cmd.exe to execute update.vbs. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process trees showed execution of sc.exe with command-line arguments to create the AdobeUpdater service with binPath pointed to cmd.exe with arguments to execute update.vbs and a suspicious service description, which indicates masquerading.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed sc.exe executing with command-line arguments for a new service called AdobeUpdater with binPath pointed to cmd.exe with arguments to execute update.vbs and service description \"Synchronize with Adobe for security updates.\". An analyst could use this information to determine it is not a legitimate service. The process tree view showed sc.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed sc.exe executing with command-line arguments to set the service description. An analyst could use this information to determine it is not a legitimate service. The telemetry was tainted by a parent PowerShell alert.
[1]
[2]
[3]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed sc.exe executions to create the AdobeUpdater service and set the binPath to run cmd.exe with an argument to execute update.vbs as well as set the description of the service. An analyst could use this information to determine masquerading occurred. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
[3]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched the sc.exe command with an alert for SC Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1007 - System Service Discovery) and the correct Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry within the process trees showed execution of sc.exe with command-line arguments to create the AdobeUpdater service with binPath pointed to cmd.exe with arguments to execute update.vbs and a suspicious service description, which could indicate masquerading.
[1]
[2]
[3]
|
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing sc.exe to create a new service named AdobeUpdater with binPath pointed to cmd.exe with arguments to run update.vbs and suspicious service description, which could assist an analyst in determining this was not a legitimate Adobe product. The telemetry was tainted by the parent \"Powershell executed remote commands alert\".
[1]
[2]
[3]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing sc.exe with command-line arguments, to create and configure the AdobeUpdater service, that an analyst could use to determine the service is masquerading. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry from CodeRed showed sc.exe service creation command for the AdobeUpdater service with a binPath set to run update.vbs with cmd.exe on startup on Creeper (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed the sc.exe command to set the service description, but a screenshot was not available. An analyst can use this information to determine AdobeUpdater is masquerading.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of sc.exe with command-line arguments to set the service description. An analyst could use this information to determine it is not a legitimate service. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed execution of sc.exe to create a new service called AdobeUpdater with a binPath set to run cmd.exe and execute update.vbs as well as set the service description. An analyst can use this information to determine the service is masquerading.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed executions of sc.exe to create the AdobeUpdater service on Creeper with a binPath pointing to cmd.exe to execute update.vbs as well as a setting the service description. An analyst can use this information to determine AdobeUpdater is masquerading. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched sc.exe execution with the correct ATT&CK Technique (System Service Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry |
|
| Telemetry within the process tree showed execution of sc.exe with command-line arguments to query the AdobeUpdater service on Creeper.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| CrowdStrike |
|
Specific Behavior (Delayed) |

|
| The OverWatch team sent an email indicating they observed a Specific Behavior because the user Bob queried for a particular service on Creeper.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
Telemetry (Tainted) |

|
| Telemetry showed sc.exe executing with command-line arguments to query the AdobeUpdater service on Creeper. The process tree view showed sc.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed sc.exe executing with command-line arguments. The telemetry was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed sc.exe execution to query the AdobeUpdater service on Creeper. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched sc.exe with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed powershell.exe executing sc.exe to query the AdobeUpdater service on Creeper and enriched sc.exe with the condition SC QC Reconnaissance Command. The enrichment was tainted by the parent \"Powershell executed remote commands alert\".
[1]
[2]
[3]
[4]
[5]
[6]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed execution of sc.exe to query for the AdobeUpdater service on 10.0.0.4 (Creeper).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of sc.exe to query the AdobeUpdater service on Creeper. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| FireEye |
|
None |
|
| No detection capability identified for this procedure.
[1]
[2]
[3]
[4]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed a file read event for update.vbs. The telemetry was tainted by a parent alert on wscript.exe
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| SentinelOne |
|
Telemetry |
|
| Telemetry showed a remote access event on update.vbs.
[1]
[2]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed execution of sc.exe with command-line arguments to start the AdobeUpdater service on Creeper.
[1]
| |
| CrowdStrike |
|
Specific Behavior (Delayed) |

|
| The OverWatch team sent an email indicating they observed a Specific Behavior because update.vbs executed following the start of the AdobeUpdater service.
[1]
[2]
|
|
Telemetry (Tainted) |

|
| Telemetry showed sc.exe executing with command-line arguments to start the AdobeUpdater service on Creeper. The process tree view showed sc.exe as tainted by a previous powershell.exe detection.
[1]
[2]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed cmd.exe executing the update.vbs from the Adobe Flash Updater service. Telemetry also showed sc.exe executing the service. The telemetry was tainted by a parent PowerShell alert.
[1]
[2]
| |
| Endgame |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for the sc.exe command to start AdobeUpdater named "Service Command Lateral Movement". The alert was also tagged with the correct ATT&CK Technique (T1035 - Service Execution) and Tactic (Execution).
[1]
[2]
|
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched sc.exe with the correct ATT&CK Technique (T1035 - Service Execution) and Tactic (Execution). The event was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
|
|
Telemetry (Tainted) |

|
| Telemetry showed sc.exe execution to start the AdobeUpdater service on Creeper. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery).
[1]
[2]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it observed the sc.exe command starting the adobeupdater service on Creeper.
[1]
[2]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed sc.exe execution with command-line arguments.
[1]
[2]
[3]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for sc.exe used with parameters typical for lateral movement.
[1]
[2]
[3]
|
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing sc.exe to start the AdobeUpdater service on Creeper. The telemetry was tainted by the parent \"Powershell executed remote commands\" alert. Telemetry from Creeper also showed services.exe creating cmd.exe, which executed the update.vbs file (showing AdobeUpdater service starting).
[1]
[2]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing sc.exe. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
|
|
Enrichment |
|
| The capability enriched sc.exe with a relevant ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that a Windows service was manipulated via sc.exe/net.exe tool.
[1]
[2]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry from CodeRed showed the sc.exe remote service start to execute the AdobeUpdater service on Creeper (tainted by parent alert on PowerShell script with suspicious content). Telemetry from Creeper showed the execution sequence of Empire and command and control connections.
[1]
[2]
[3]
[4]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for a successful AdobeUpdater remote service execution attempt on Creeper.
[1]
[2]
[3]
[4]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing sc with command-line arguments. As part of the service, telemetry also showed cmd.exe executing update.vbs on 10.0.0.4 (Creeper). The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
|
|
Enrichment |
|
| The capability enriched sc.exe executing with command-line arguments with the correct ATT&CK Technique (Service Execution).
[1]
[2]
[3]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed execution of sc.exe to start the AdobeUpdater service on 10.0.0.4 (Creeper). Telemetry on Creeper showed the execution of cmd.exe to run update.vbs.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of sc.exe to start the AdobeUpdater service on Creeper. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
|
|
General Behavior |
|
| A General Behavior alert was generated for the lateral movement activity. A new story grouping was generated for the event on Creeper to associate subsequent activity.
[1]
[2]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed reg.exe executing with command-line arguments to check if terminal services were enabled.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed reg.exe executing with command-line arguments to check if terminal services are enabled. The process tree view showed reg.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed reg.exe executing with command-line arguments indicating a check to see if terminal services were enabled. The telemetry was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing reg.exe with command-line arguments indicating a check to see if terminal services was enabled. Telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| FireEye |
|
Telemetry (Tainted) |

|
| Telemetry showed reg.exe executing with command-line arguments to check if terminal services are enabled. The telemetry was tainted by the parent Reg Execution (Weak Signal) alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing reg.exe with command-line arguments indicating a check to see if terminal services was enabled. The telemetry was tainted by the parent \"New Windows service created\" alert.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Registry was queried for remote services RDP.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
Telemetry (Tainted) |

|
| Telemetry showed reg.exe executing with command-line arguments. The telemetry was tainted by a parent cmd.exe alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
|
|
Enrichment |
|
| The capability enriched the powershell.exe that executed reg.exe with the ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that PowerShell queried terminal services Registry.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed reg.exe executing with command-line arguments indicating a check to see if terminal services was enabled (tainted by prior alert on suspicious PowerShell command-line).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed reg.exe executing with command-line arguments indicating a check to see if terminal services was enabled.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed reg.exe execution with command-line arguments indicating a check to see if terminal services was enabled. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed reg.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Enrichment |
|
| The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed reg.exe executing with command-line arguments. The process tree view showed reg.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed reg.exe executing with command-line arguments. The telemetry was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
[5]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing reg.exe with command-line arguments. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
|
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing reg.exe with command-line arguments. The telemetry was tainted by the parent \"New Windows service created\" alert.
[1]
[2]
[3]
[4]
[5]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the reg.exe utility queried the Registry.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing reg.exe. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed reg.exe executing with command-line arguments (tainted by prior alert on suspicious PowerShell command line).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched reg.exe executing with command-line arguments with a related ATT&CK Technique (System Service Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing reg with command-line arguments to check if terminal services were enabled. The telemetry was tainted by a parent alert on cmd.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
|
|
Enrichment (Tainted) |

|
| The capability enriched reg.exe executing with command-line arguments as the terminal server key queried by the reg utility. The data was tainted by a parent alert on cmd.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed reg.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed reg.exe execution with command-line arguments. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed execution of takeown.exe with command-line arguments on magnify.exe.
[1]
[2]
[3]
[4]
|
|
Enrichment (Configuration Change) |

|
| The capability enriched the execution of takeown.exe with \"Permission modifications\".
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because takeown.exe was executed to bypass Windows logon.
[1]
[2]
[3]
[4]
|
|
Telemetry (Tainted) |

|
| Telemetry showed takeown.exe executing with command-line arguments. The process tree view showed takeown.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for takeown.exe performing activity related to swapping an accessibility features binary. The telemetry was tainted by a parent PowerShell alert.
[1]
[2]
|
|
Telemetry |
|
| Telemetry showed takeown.exe executing with command-line arguments.
[1]
[2]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing takeown.exe with command-line arguments. Telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched takeown.exe with an alert for Takeown Execution. The alert described how takeown can be used to change file ownership.
[1]
[2]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (takeown) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for takeown.exe changing the ownership of an accessibility feature executable.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed takeown.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing takeown.exe to take ownership of magnify.exe. The telemetry was tainted by the parent \"New Windows service created\" alert.
[1]
[2]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched takeown.exe with a suspicious indicator that the takeown command was executed to obtain ownership of a file or directory.
[1]
[2]
[3]
[4]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing takeown.exe. The telemetry was tainted by a trace detection on cmd.exe..
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed takeown.exe execution to change the file permissions on magnify.exe (tainted by prior alert on suspicious PowerShell command-line).
[1]
[2]
[3]
[4]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched reg.exe executing with command-line arguments with the correct ATT&CK Technique (File Permissions Modification).
[1]
[2]
[3]
[4]
[5]
|
|
Enrichment (Tainted) |

|
| The capability enriched takeown.exe executing with command-line arguments as changing permission or ownership of a file or folder. The data was tainted by a parent alert on cmd.exe.
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing takeown with command-line arguments. The telemetry was tainted by a parent alert on cmd.exe.
[1]
[2]
[3]
[4]
[5]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed takeown.exe execution to change the file permissions on magnify.exe.
[1]
[2]
| |
| SentinelOne |
|
Enrichment (Tainted) |

|
| Telemetry showed takeown.exe execution with command-line arguments containing magnify.exe. The event was enriched to show that ownership of a file was taken over. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry within the process tree showed execution of icacls.exe with command-line arguments on magnify.exe.
[1]
[2]
[3]
[4]
|
|
Enrichment (Configuration Change) |

|
| The capability enriched the execution of icacls.exe with \"Permission modifications\".
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of icacls.exe with command-line arguments. The process tree view showed icacls.exe as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
|
|
General Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a General Behavior was observed because icacls.exe was executed to bypass Windows logon.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed icacls.exe executing with command-line arguments. The telemetry was tainted by a parent PowerShell alert.
[1]
[2]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing icacls.exe with command-line arguments. Telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched icacls.exe with an alert for Icacls Execution. The alert described how icacls can be used to display or change Windows file ACLs.
[1]
[2]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (icacls) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed icacls.exe executing with command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for icalcs.exe changing the permissions of an accessibility feature executable.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe running icacls.exe to modify magnify.exe access controls. The telemetry was tainted by the parent \"New Windows service created\" alert.
[1]
[2]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched icacls.exe with a suspicious indicator that full access permissions were given to certain users.
[1]
[2]
[3]
[4]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing icacls.exe. The telemetry was tainted by a trace detection on cmd.exe..
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed icacls.exe execution to change permissions on magnify.exe granting discretionary access to SYSTEM (tainted by prior alert on suspicious PowerShell command-line).
[1]
[2]
[3]
[4]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing icalcs with command-line arguments. The telemetry was tainted by a parent alert on cmd.exe.
[1]
[2]
[3]
[4]
[5]
|
|
Enrichment |
|
| The capability enriched icalcs.exe executing with command-line arguments with the correct ATT&CK Technique (File Permissions Modification).
[1]
[2]
[3]
[4]
[5]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed icacls.exe execution to change permissions on magnify.exe granting discretionary access to SYSTEM.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed icacls.exe execution with command-line arguments containing magnify.exe. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed filemod events overwriting magnify.exe in the system directory.
[1]
[2]
[3]
[4]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for powershell.exe with a severity score of 51/100 when magnify.exe was replaced. The alert was also mapped to the correct ATT&CK Technique (T1015 - Accessibility Features).
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed a file write of magnify.exe by powershell.exe in the system directory. The telemetry was tainted by an alert on its parent powershell.exe process.
[1]
[2]
[3]
[4]
[5]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed creation and file write events for magnify.exe. The telemetry was tainted by a parent PowerShell alert listed as the owner process.
[1]
[2]
[3]
| |
| Endgame |
|
Specific Behavior |
|
| A Specific Behavior alert was generated named "Persistence-Accessibility Features" based on magnifier.exe being overwritten. The alert was tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence).
[1]
[2]
[3]
[4]
|
|
Telemetry (Tainted) |

|
| Telemetry showed the overwrite of magnify.exe and was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
[3]
[4]
|
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched the magnify.exe overwrite with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence).
[1]
[2]
[3]
[4]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified magnifer.exe being overwritten with cmd.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for Suspicious Accessibility Features Replacement (BACKDOOR) based on magnifer.exe being overwritten. The alert was also tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Specific Behavior |
|
| A Specific Behavior alert was also generated for Accessibility Features File Write (Weak Signal) based on magnifier.exe being overwritten. The alert was also tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| F-Secure |
|
Enrichment |
|
| The capability enriched cmd.exe as being renamed to another process and with a relevant ATT&CK Technique (Masquerading).
[1]
[2]
[3]
[4]
[5]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for the modification of an accessibility features binary known to be used for privilege escalation.
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry |
|
| Telemetry showed powershell.exe overwriting magnify.exe with cmd.exe via the copy command.
[1]
[2]
[3]
[4]
[5]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry also showed a different view of the event with powershell.exe copying cmd.exe as magnify.exe in the system directory. The telemetry was tainted by parent "New Windows service created" alerts.
[1]
[2]
[3]
|
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability enriched powershell.exe creating and writing magnify.exe to the system directory with the condition \"Creation of Sticky Keys File.\" The enrichment was tainted by parent \"New Windows service created\" alerts.
[1]
[2]
[3]
| |
| McAfee |
|
General Behavior |
|
| A General Behavior alert was generated for powershell.exe altering the attributes of an executable file under the Windows system folder.
[1]
[2]
[3]
[4]
|
|
Telemetry |
|
| Telemetry showed a file modification event for Magnifier.exe.
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for overwrite of magnify.exe indicating a sticky keys binary hijack for persistence was detected.
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry |
|
| Telemetry showed powershell.exe overwriting magnify.exe with the new file containing the same hash for cmd.exe. Reputation metadata confirms magnify.exe is cmd.exe under the file names observed.
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed file write events overwriting magnify.exe in the system directory as well as the change in the hash of the file. The telemetry was tainted by a parent alert on cmd.exe.
[1]
[2]
[3]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed a file write event on magnify.exe in the system directory. A search for "cmd" on CodeRed shows the hash value of magnify.exe matches cmd.exe.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed file write of magnify.exe in the system directory from a file copy event for cmd.exe with matching hash values. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
Telemetry |
|
| Telemetry showed the decoded PowerShell script that was executed to recursively search for .vsdx files on Conficker's remote file share.
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed an event with the execution of the Get-ChildItem command. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed filemod events for the creation and write the .vsdx in the Recycle Bin.
[1]
[2]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated with a severity score of 60/100 and was correctly mapped to correct ATT&CK Technique (T1074 - Data Staged).
[1]
[2]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed the .vsdx file being written into the Recycle Bin.
[1]
[2]
|
|
Specific Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a Specific Behavior was observed the .vsdx file being copied to the Recycle Bin, a \"likely location to stage files of interest.\"
[1]
[2]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed creation of the .vsdx file in the Recycle Bin. The telemetry was tainted by a parent PowerShell alert listed as the owner process.
[1]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed creation of the .vsdx file in the Recycle Bin. The telemetry was tainted by the parent powershell.exe alerts on " PowerShell with Unusual Arguments" and "PowerShell Network".
[1]
[2]
| |
| FireEye |
|
Telemetry (Tainted) |

|
| Telemetry showed the creation of the .vsdx file in the Recycle Bin. The telemetry was tainted by the parent PowerShell File Write alert.
[1]
[2]
[3]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated on the file write of the .vsdx named File Write To Root Of Recycle Bin (Weak Signal). The alert details explained how all legitimate files should be written to a subfolder of the recycle bin, and not to the root.
[1]
[2]
[3]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker (10.0.0.5) to the Recycle Bin as well as a file create event.
[1]
[2]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker to the Recycle Bin. The telemetry was tainted by the parent "Powershell executed encoded commands" alert.
[1]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed creation of the .vsdx file in the Recycle Bin. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated for PowerShell creating a file in the Recycle Bin. The alert was tagged with the correct ATT&CK Tactic (Collection) and Technique (Data Staged).
[1]
[2]
| |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure, though data showed PowerShell Copy-Item cmdlet execution (no information available about what file is being copied or where the data is coming from).
[1]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed file read and write events for the .vsdx file from the network shared drive on 10.0.0.5 (Conficker) to the Recycle Bin. The telemetry was tainted by a parent alert on wscript.exe.
[1]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed file write of the .vsdx to the Recycle Bin. The activity seen during the lateral movement step tainted the telemetry because it was associated with the same story (Group ID).
[1]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| CrowdStrike |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry was available for the write file of the .vsdx into the Recycle Bin (no data was available that indicated it came from a network shared drive). | |
| Cybereason |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| F-Secure |
|
Telemetry |
|
| Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker (10.0.0.5) to the Recycle Bin.
[1]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker to the Recycle Bin. The telemetry was tainted by the parent "Powershell executed encoded commands" alert.
[1]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure, though data showed PowerShell Copy-Item cmdlet execution (no information available about what file is being copied or where the data is coming from).
[1]
| |
| Palo Alto Networks |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for a script engine reading files from network locations. The alert was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
|
|
Telemetry (Tainted) |

|
| Telemetry showed a file read event for the .vsdx file from the network shared drive on 10.0.0.5 (Conficker). The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed the .vsdx file copied from a network shared drive on Conficker. The activity seen during the lateral movement step tainted the telemetry because it was associated with the same story (Group ID).
[1]
[2]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed the creation of recycler.exe. Binary metadata on recycler.exe indicated it was masquerading and had a digital signature and file metadata that matched the WinRAR utility.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed the SHA256 hash value of recycler.exe when it was written to disk, which an analyst could use to determine recycler.exe was actually WinRAR.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed that recycler.exe was WinRAR via file metadata. The telemetry was tainted by a parent PowerShell alert.
[1]
[2]
[3]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified the attacker placing the WinRAR utility on the system as recycler.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Telemetry (Tainted) |

|
| Telemetry showed the MD5 hash value of recycler.exe when it was written to disk, which an analyst could use to determine recycler.exe was actually WinRAR. The telemetry was tainted by the parent PowerShell File Write alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| F-Secure |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| GoSecure |
|
None |
|
| No detection capability demonstrated for this procedure, though telemetry later identified recycler.exe as WinRAR during execution (no detections identified it as WinRAR upon file copy).
[1]
[2]
[3]
| |
| McAfee |
|
Telemetry |
|
| Telemetry showed the MD5/SHA256 hash value of recycler.exe when it was written to disk, which an analyst could use to determine recycler.exe was actually WinRAR.
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
Telemetry |
|
| Telemetry showed file creation of recycler.exe on CodeRed. Binary reputation and metadata for recycler.exe shows hash and publisher signature as win.rar GmbH indicating the file is actually the WinRAR utility.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed the MD5 and SHA256 hash values of recycler.exe when it was written to disk, which an analyst could use to determine recycler.exe was actually WinRAR. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed file creation event for recycler.exe on CodeRed along with MD5, SHA1, and SHA256 hashes. Hashes could be used to look up information on the binary. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed the creation of recycler.exe.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed file write of recycler.exe by powershell.exe as well as the network connection over which the download occurred. The process tree view showed the parent powershell.exe process as tainted by a previous wscript.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed the file creation of recycler.exe by powershell.exe. The telemetry was tainted by a parent PowerShell alert listed as the owner process.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed the file creation of recycler.exe by powershell.exe. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
[3]
[4]
| |
| FireEye |
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it indicated the attacker placed recycler.exe on the system.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Enrichment |
|
| The capability enriched powershell.exe writing recycler.exe with an alert for PowerShell File Write (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1105 - Remote File Copy) and Tactics (Command and Control, Lateral Movement).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| GoSecure |
|
General Behavior (Configuration Change) |

|
| A General Behavior alert called "Policy Dropper Behavior" was generated based on three events occurring in the same parent process within a set time frame, a network connection (TCP Outbound to 192.168.0.5 over 443) followed by an executable file create (powershell.exe creating recycler.exe) followed by a process spawning from that executable (powershell.exe creating the recycler.exe process).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe creating recycler.exe. The telemetry was tainted by parent \"Powershell executed encoded commands\" and \"Policy Dropper Behavior\" alerts.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe creating recycler.exe file (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| Palo Alto Networks |
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for executables created to disk by the Windows scripting engine. The alert was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry (Tainted) |

|
| Telemetry showed the file create and write events for recycler.exe. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
General Behavior (Tainted) |

|
| A General Behavior alert was generated for PowerShell dropping an executable file to disk. The alert was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed a write file event for recycler.exe.
[1]
[2]
[3]
[4]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed file write of recycler.exe with hash value. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. Telemetry also showed the creation of old.rar as the output of recycler.exe running.
[1]
[2]
[3]
|
|
Enrichment |
|
| The capability enriched recycler.exe with the correct ATT&CK Technique (1002 - Data Compressed).
[1]
[2]
[3]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry within the alert showed the command-line details for the execution of recycler.exe, and would also be available in a separate view.
[1]
[2]
[3]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated for a RAR archive "written by a process with suspicious command line arguments." The alert showed the command-line details and was tagged with the correct ATT&CK Technique (Data Compressed) and Tactic (Exfiltration). The process tree view showed the recycler.exe alert as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
|
|
Specific Behavior (Delayed) |

|
| The OverWatch team sent an email indicating they observed a Specific Behavior because a .vsdx file was archived for likely exfiltration using the renamed RAR binary, recycler.exe.
[1]
[2]
[3]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by a parent PowerShell alert.
[1]
| |
| Endgame |
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched recycler.exe with a related ATT&CK Technique (T1022 - Data Encrypted) and Tactic (Exfiltration). The enrichment was tainted by a parent Windows Script Executing PowerShell alert.
[1]
[2]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated on execution of recycler.exe named "Exfiltration-Encrypting Files with WinRar". The alert was tainted by parent Windows Script Executing PowerShell alert.
[1]
[2]
|
|
Telemetry (Tainted) |

|
| Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data. The telemetry was tainted by parent Windows Script Executing PowerShell alert.
[1]
[2]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched the file write of RAR with a second alert for Rar Archive Created (Weak Signal) based on the header values of the file. The alert was also tagged with the correct ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
General Behavior |
|
| A General Behavior alert called File Write To Root Of Recycle Bin (Weak Signal) was generated for old.rar being written to the root of the Recycle Bin. The alerted noted that all legitimate files should be written to a subfolder of the Recycle Bin.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
General Behavior |
|
| A General Behavior alert was generated for Execution from Suspicious Directory (Weak Signal). The alert detected processes running from uncommon locations, and included recycler.exe executing with full command-line arguments, including the use of the -hp flag to encrypt and compress data.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| The capability enriched the command line output containing -hp with an alert for Possible Encrypted RAR Archive Command (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1002 - Data Compressed).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it indicated the attacker executed recycler.exe to create an encrypted RAR file old.rar.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| The capability enriched the file write of RAR with an alert for Rar Archive Created (Weak Signal) based on the header values of the file. The alert was also tagged with the correct ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (recycler) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
|
|
Telemetry |
|
| Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. Additionally recycler.exe was identified as WinRAR via file metadata, including executable product and description. Telemetry also showed the creation of old.rar as the output of recycler.exe running.
[1]
[2]
[3]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe creating recycler.exe and executing the command-line arguments including the -hp flag indicating WinRAR utility execution with compression and encryption. The telemetry was tainted by parent "Powershell executed encoded commands" and "Policy Dropper Behavior" alerts
[1]
[2]
|
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed recycler.exe creating old.rar in the Recycle Bin and enriched the data with "Data Exfiltration Archiving" due to the archive file being created. The enrichment was tainted by parent "Powershell executed encoded command" alerts.
[1]
[2]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. Telemetry also showed the creation of old.rar as the output of recycler.exe running. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed execution sequence for recycler.exe with WinRAR command-line arguments, including the -hp flag, for data encryption and compression (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts).
[1]
[2]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by a parent alert on wscript.exe
[1]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed execution of recycler.exe with full command-line arguments, including -hp flag, indicating compression and encryption was used with a WinRAR utility.
[1]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of recycler.exe with command-line arguments, including the -hp flag, indicating use of encryption and compression with a WinRAR utility. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive.
[1]
[2]
|
|
Enrichment |
|
| The capability enriched recycler.exe with the correct ATT&CK Technique (1022 - Data Encrypted).
[1]
[2]
| |
| CrowdStrike |
|
Specific Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a Specific Behavior was observed because a .vsdx file was archived for likely exfiltration using the renamed WinRAR binary, recycler.exe.
[1]
[2]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was created for a RAR archive "written by a process with suspicious command line arguments." Details showed the flags -hp within the command line that indicated use of encryption, and the alert was mapped to a related ATT&CK Technique (Data Compressed) and the correct Tactic (Exfiltration). The process tree view showed the recycler.exe alert as tainted by a previous powershell.exe detection.
[1]
[2]
|
|
Telemetry |
|
| Telemetry within the alert showed the command-line details for the execution of recycler.exe, and would also be available in a separate view.
[1]
[2]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by a parent PowerShell alert.
[1]
| |
| Endgame |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated on execution of recycler.exe named "Exfiltration-Encrypting Files with WinRar". The alert was tainted by parent Windows Script Executing PowerShell alert.
[1]
[2]
|
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched recycler.exe with the correct ATT&CK Technique (T1022 - Data Encrypted) and Tactic (Exfiltration). The enrichment was tainted by parent Windows Script Executing PowerShell alert.
[1]
[2]
|
|
Telemetry (Tainted) |

|
| Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data. The telemetry was tainted by parent Windows Script Executing PowerShell alert.
[1]
[2]
| |
| FireEye |
|
General Behavior |
|
| A General Behavior alert called File Write To Root Of Recycle Bin (Weak Signal) was generated for old.rar being written to the root of the Recycle Bin. The alerted noted that all legitimate files should be written to a subfolder of the Recycle Bin.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| The capability enriched recycler.exe writing old.rar to the root of the Recycle Bin with an alert for Rar Archive Created (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it observed recycler.exe creating an encrypted RAR archive.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
General Behavior |
|
| A General Behavior alert was generated for Execution from Suspicious Directory (Weak Signal). The alert detected processes running from uncommon locations, and included recycler.exe executing with full command-line arguments, including the use of the -hp flag to encrypt and compress data.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| The capability enriched an alert for Possible Encrypted RAR Archive Command (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1022 - Data Encrypted).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Enrichment |
|
| The capability enriched the file write of RAR with an alert for Rar Archive Created (Weak Signal) based on the header values of the file. The alert was also tagged with a related ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| F-Secure |
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (recycler) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry |
|
| Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use.
[1]
[2]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe creating recycler.exe and executing the command-line arguments including the -hp flag indicating WinRAR utility execution with compression and encryption. The telemetry was tainted by parent "Powershell executed encoded commands" and "Policy Dropper Behavior" alerts
[1]
[2]
|
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed recycler.exe creating old.rar in the Recycle Bin and enriched the data with "Data Exfiltration Archiving" due to the archive file being created. The enrichment was tainted by parent "Powershell executed encoded command" alerts.
[1]
[2]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. Telemetry also showed the creation of old.rar as the output of recycler.exe running. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed execution sequence for recycler.exe with WinRAR command-line arguments, including the -hp flag, for data encryption and compression (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts).
[1]
[2]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine
[1]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed execution of recycler.exe with full command-line arguments, including -hp flag, indicating compression and encryption was used with a WinRAR utility.
[1]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of recycler.exe with command-line arguments, including the -hp flag, indicating use of encryption and compression with a WinRAR utility. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated on execution of recycler.exe indicating it was WinRAR and was masquerading as a renamed process.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry within the alert showed the command-line details for the execution of recycler.exe, and would also be available in a separate view.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was created for a RAR archive "written by a process with suspicious command line arguments.". Details showed that recycler.exe wrote a RAR archive and that recycler.exe was signed by win.rar GmbH. The process tree view showed the recycler.exe alert as tainted by a previous powershell.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a Specific Behavior was observed because a .vsdx file was archived for likely exfiltration using the renamed WinRAR binary, recycler.exe.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by a parent PowerShell alert.
[1]
[2]
[3]
| |
| Endgame |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated on execution of recycler.exe named "Exfiltration-Encrypting Files with WinRar". The alert was tainted by parent Windows Script Executing PowerShell alert.
[1]
[2]
[3]
|
|
Telemetry (Tainted) |

|
| Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by parent Windows Script Executing PowerShell alert.
[1]
[2]
[3]
| |
| FireEye |
|
General Behavior |
|
| A General Behavior alert was generated for Execution from Suspicious Directory (Weak Signal). The alert detected processes running from uncommon locations, and included recycler.exe executing with full command-line arguments, including the use of the -hp flag to encrypt and compress data.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it observed recycler.exe creating an encrypted RAR archive.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Enrichment |
|
| The capability enriched recycler.exe writing old.rar to the root of the Recycle Bin with an alert for Rar Archive Created (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
General Behavior |
|
| A General Behavior alert called File Write To Root Of Recycle Bin (Weak Signal) was generated for old.rar being written to the root of the Recycle Bin. The alerted noted that all legitimate files should be written to a subfolder of the Recycle Bin.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Enrichment |
|
| The capability enriched the file write of RAR with an alert for Rar Archive Created (Weak Signal) based on the header values of the file. The alert was also tagged with a related ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
|
|
Enrichment |
|
| The capability enriched an alert for Possible Encrypted RAR Archive Command (Weak Signal). The alert was also tagged with related ATT&CK Techniques (T1022 - Data Encrypted and T1002 - Data Compressed).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
| |
| F-Secure |
|
Telemetry |
|
| Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. Additionally recycler.exe was identified as WinRAR via file metadata, including executable product and description.
[1]
[2]
[3]
| |
| GoSecure |
|
Enrichment (Configuration Change, Tainted) |
 
|
| The capability showed recycler.exe creating old.rar in the Recycle Bin and enriched the data with "Data Exfiltration Archiving" due to the archive file being created. The enrichment was tainted by parent "Powershell executed encoded command" alerts.
[1]
[2]
[3]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe creating recycler.exe and executing the command-line arguments including the -hp flag indicating WinRAR utility execution with compression and encryption. The telemetry was tainted by parent "Powershell executed encoded commands" and "Policy Dropper Behavior" alerts.
[1]
[2]
[3]
| |
| McAfee |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. Telemetry also showed the creation of old.rar as the output of recycler.exe running. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed execution sequence for recycler.exe with RAR command-line arguments, including the -hp flag, for data encryption and compression indicating it was actually WinRAR masquerading as a different file (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts).
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by a parent alert on wscript.exe
[1]
[2]
[3]
[4]
|
|
Enrichment |
|
| The capability enriched recylcer.exe executing with command-line arguments with a related ATT&CK Technique (Masquerading).
[1]
[2]
[3]
[4]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed execution of recycler.exe with full command-line arguments, including -hp flag, indicating compression and encryption was used with a WinRAR utility.
[1]
[2]
| |
| SentinelOne |
|
Enrichment (Tainted) |

|
| Telemetry showed execution of recycler.exe with command-line arguments, including the -hp flag, indicating use of encryption and compression with a WinRAR utility. The Process Name field in the row for recycler.exe enriched the event with "Command line RAR". The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
[3]
[4]
[5]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched ftp.exe with the correct ATT&CK Technique (Exfil Over Alternate Protocol).
[1]
[2]
|
|
Telemetry |
|
| Telemetry showed a process tree for ftp.exe being executed with command-line arguments including ftp.txt.
[1]
[2]
| |
| CrowdStrike |
|
Specific Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a Specific Behavior was observed because collected files were exfiltrated via FTP.
[1]
[2]
|
|
General Behavior (Delayed, Tainted) |
 
|
| OverWatch generated a General Behavior alert indicating ftp.exe executing with ftp.txt was suspicious. The process tree view showed ftp.exe as tainted by a previous powershell.exe detection.
[1]
[2]
|
|
Telemetry |
|
| Telemetry within the OverWatch alert showed ftp.exe executing with ftp.txt.
[1]
[2]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed the execution of ftp.exe and command-line arguments.
[1]
[2]
[3]
[4]
|
|
Enrichment (Tainted) |

|
| The capability enriched ftp.exe execution with a related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used Port, Standard Application Layer Protocol). The data was tainted by a parent PowerShell alert.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry showed the creation of ftp.txt and ftp.exe executing with command-line arguments. Telemetry also showed the FTP connection to 192.168.0.4 (C2 server) on port 21.
[1]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched ftp.exe execution with an alert for FTP Utility Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Software (T0095 - FTP).
[1]
[2]
[3]
[4]
|
|
Enrichment |
|
| The capability enriched a TCP port 21 connection to 192.168.0.4 (C2 server) with an alert for FTP Network Connection (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1048 - Exfiltration Over Alternative Protocol) and Tactic (Exfiltration).
[1]
[2]
[3]
[4]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it observed the ftp commands being written to ftp.txt and the subsequent execution of ftp.exe with the file. The old.rar file was seen uploaded to 192.168.0.4 (C2 server).
[1]
[2]
[3]
[4]
|
|
Enrichment |
|
| The capability enriched ftp.exe with the -s argument with a separate alert for FTP Utility Execution (Weak Signal).
[1]
[2]
[3]
[4]
| |
| F-Secure |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for the execution of ftp.exe with a command file option by an unusual parent process and could be used for exfiltration.
[1]
[2]
|
|
Telemetry |
|
| Telemetry showed ftp.exe with ftp.txt as an argument as well as an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21.
[1]
[2]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing ftp.exe with ftp.txt as an argument as well as an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21. The telemetry was tainted by the parent \"Powershell executed encoded commands\" alert.
[1]
[2]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched powershell.exe executing ftp.exe with the correct ATT&CK Tactic (Exfiltration) and Technique (Exfiltration over Alternative Protocol) and a suspicious indicator that a connection was made to a remove server via the ftp protocol.
[1]
[2]
|
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe executing ftp.exe, which made an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed execution sequence for ftp.exe with command-line arguments including ftp.txt (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts). Telemetry also showed connections to 192.168.0.4 (C2 server) on ports 20 and 21 for the FTP connection.
[1]
[2]
[3]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed the execution of ftp.exe and command-line arguments as well as a an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
|
|
Enrichment (Tainted) |

|
| The capability enriched ftp.exe as the execution of a CLI file transfer/copy utility. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed the execution of ftp.exe with command-line arguments, including ftp.txt, for exfiltration. The contents of ftp.txt was not seen.
[1]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed ftp.exe running with ftp.txt as an argument. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
[1]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed the deletion of old.rar.
[1]
[2]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed the deletion of old.rar with an event name of FileDeleted.
[1]
[2]
[3]
[4]
|
|
Specific Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a Specific Behavior was observed because files (including old.rar) were deleted from the host CodeRed.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed a deletion event for old.rar via powershell.exe. The telemetry was tainted by a parent PowerShell alert listed as the owner process.
[1]
[2]
| |
| Endgame |
|
None |
|
| No detection capability demonstrated for this procedure, though there was telemetry to show the creation of old.rar. A host query for the file showed the old.rar no longer exists, but no deletion event was seen.
[1]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| F-Secure |
|
Telemetry |
|
| Telemetry showed powershell.exe executing the command to delete old.rar.
[1]
[2]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe deleting old.rar from the Recycle Bin. The telemetry was tainted by the parent \"PowerShell executed encoded commands\" alert.
[1]
[2]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
| |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure, though data showed execution sequence for the PowerShell "Remove-Item" cmdlet (no arguments were available to indicate what was deleted).
[1]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed the file delete event for old.rar. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed the file deletion of old.rar. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
| |
| Carbon Black |
|
Telemetry |
|
| Telemetry showed the deletion of recycler.exe.
[1]
[2]
| |
| CrowdStrike |
|
Specific Behavior (Delayed) |

|
| The OverWatch team sent an email indicating a Specific Behavior was observed because files (including recycler.exe) were deleted from the host CodeRed.
[1]
[2]
[3]
[4]
|
|
Telemetry |
|
| Telemetry showed the deletion of recycler.exe with an event name of ExecutableDeleted.
[1]
[2]
[3]
[4]
| |
| Cybereason |
|
Telemetry (Tainted) |

|
| Telemetry showed a deletion event for recycler.exe via powershell.exe. The telemetry was tainted by a parent PowerShell alert listed as the owner process.
[1]
[2]
| |
| Endgame |
|
Telemetry |
|
| Telemetry showed a deletion event for recycler.exe caused by powershell.exe.
[1]
| |
| FireEye |
|
None |
|
| No detection capability demonstrated for this procedure. | |
| F-Secure |
|
Telemetry |
|
| Telemetry showed powershell.exe executing the command to delete recycler.exe.
[1]
[2]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed powershell.exe deleting recycler.exe. The telemetry was tainted by the parent \"PowerShell executed encoded commands alert\".
[1]
[2]
| |
| McAfee |
|
Enrichment |
|
| The capability enriched PowerShell deleting recylcer.exe with the correct ATT&CK Tactic (Defense Evasion) and Technique (File Deletion) and a suspicious indicator that an executable file was deleted from the system root folder.
[1]
[2]
|
|
Telemetry (Tainted) |

|
| Telemetry showed file deletion event for recycler.exe. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
| |
| Microsoft |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| Palo Alto Networks |
|
Telemetry (Tainted) |

|
| Telemetry showed the file delete event for recycler.exe. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| SentinelOne |
|
Telemetry (Tainted) |

|
| Telemetry showed the file deletion of recycler.exe. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
| |
| Carbon Black |
|
General Behavior |
|
| A General Behavior alert was generated named "Execution of cmd from non-standard path" with a 60/100 severity score.
[1]
[2]
[3]
[4]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated on execution of magnify.exe named "Suspicious screen magnifier process" with a 76/100 severity score.
[1]
[2]
[3]
[4]
|
|
General Behavior |
|
| A General Behavior alert was generated named "Suspicious renamed cmd process" with a 72/100 severity score.
[1]
[2]
[3]
[4]
|
|
Telemetry |
|
| Telemetry within the process tree that showed magnify.exe executing from utilman.exe.
[1]
[2]
[3]
[4]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry within the alert showed the details for magnify.exe, and would also be available in a separate view.
[1]
[2]
[3]
[4]
[5]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated on utilman.exe executing magnify.exe, noting that "a process chain bypassed Windows logon security." The alert was marked critical and was mapped to the correct ATT&CK Technique (Accessibility Features) and Tactic (Persistence). Data in the alert also showed that magnify.exe was identified as cmd.exe based on hash value in the common name field.
[1]
[2]
[3]
[4]
[5]
|
|
General Behavior (Delayed) |

|
| OverWatch generated a General Behavior alert indicating a Windows logon bypass on Creeper was observed.
[1]
[2]
[3]
[4]
[5]
| |
| Cybereason |
|
Specific Behavior |
|
| A Specific Behavior alert was generated based on a new process masquerading as a Windows accessibility feature, mapped to the correct ATT&CK Tactic (Persistence) and Technique (Accessibility Features).
[1]
[2]
[3]
|
|
Telemetry |
|
| Telemetry showed the execution of magnify.exe.
[1]
[2]
[3]
| |
| Endgame |
|
Telemetry (Tainted) |

|
| Telemetry in the event tree showed the execution of magnify.exe by utilman.exe (tainted by the Windows File Name Mismatch alert).
[1]
[2]
[3]
[4]
|
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched magnify.exe with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Defense Evasion, Execution) (tainted by the Windows File Name Mismatch alert).
[1]
[2]
[3]
[4]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated on Windows File Name Mismatch between magnify.exe and cmd.exe, indicating this could be used for accessibility features in the description. The alert is tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Defense Evasion, Execution).
[1]
[2]
[3]
[4]
| |
| FireEye |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for Accessibility Features Child Process due to whoami.exe spawning from magnify.exe. The alert was also tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Persistence, Privilege Escalation).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
General Behavior |
|
| A General Behavior alert was generated for RENAMED CMD.EXE, with a description explaining how attackers will sometimes rename cmd.exe to other filenames to try to bypass detections.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker replaced the magnifier.exe accessibility feature to launch a privileged command shell.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| F-Secure |
|
Enrichment |
|
| The capability enriched utilman.exe executing magnify.exe with a tag indicating that magnify was a persistent backdoor.
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry |
|
| Telemetry showed magnify.exe executing from utilman.exe with the original file name of cmd.exe.
[1]
[2]
[3]
[4]
[5]
|
|
General Behavior |
|
| A General Behavior alert was generated for magnify.exe executing as a process with a renamed executable.
[1]
[2]
[3]
[4]
[5]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed magnify.exe executing from parent process utilman.exe (PID 3996). The telemetry was tainted by the parent POS Interactive Login Event alert.
[1]
[2]
[3]
| |
| McAfee |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for the command prompt tool executed by masquerading an accessibility tool. The alert was tagged with the correct ATT&CK Tactics (Persistence, Privilege Escalation) and Technique (Accessibility Features).
[1]
[2]
[3]
[4]
|
|
Telemetry (Tainted) |

|
| Telemetry showed magnify.exe (original name identified as cmd.exe) executing from utilman.exe. The telemetry was tainted by a trace detection on magnify.exe.
[1]
[2]
[3]
[4]
| |
| Microsoft |
|
Telemetry |
|
| Telemetry showed execution of magnify.exe from utilman.exe.
[1]
[2]
[3]
[4]
[5]
|
|
Specific Behavior |
|
| A Specific Behavior alert was generated on a successful sticky keys binary hijack because magnify.exe was executing as cmd.exe.
[1]
[2]
[3]
[4]
[5]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed magnify.exe executing from utilman.exe.
[1]
[2]
[3]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed execution of magnify.exe.
[1]
[2]
[3]
| |
| SentinelOne |
|
Telemetry |
|
| Telemetry showed execution of magnify.exe which was identified as a Windows Command Processor within the interface. Activity associated with a new story (Group ID).
[1]
[2]
| |
| Carbon Black |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| CrowdStrike |
|
Telemetry |
|
| Telemetry showed a logon type 10 (remote interactive logon) for Kmitnick on Creeper, indicating a RDP session was established and logged into.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Cybereason |
|
Telemetry |
|
| Telemetry showed creation of a RDP session on Creeper (10.0.0.4).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Enrichment |
|
| The capability enriched a RDP connection with information that the connection was made to a RDP port, as well as a related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used Port, Standard Application Layer Protocol).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| Endgame |
|
Telemetry |
|
| Telemetry showed a connection to port 3389 on Creeper (10.0.0.4) with information transmitted in bytes indicating a RDP session was established.
[1]
[2]
[3]
[4]
[5]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched a TCP port 3389 connection with an alert for RDP Network Connection (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1076 - Remote Desktop Protocol) and Tactic (Lateral Movement).
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Specific Behavior (Delayed) |

|
| The Managed Defense Report indicated a Specific Behavior occurred because it identified the use of the Remote Desktop Protocol to connect to Creeper.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| F-Secure |
|
Enrichment |
|
| The capability enriched a Remote Desktop connection indicating a successful login to Remote Desktop Services.
[1]
[2]
[3]
| |
| GoSecure |
|
Telemetry |
|
| Telemetry showed an inbound connection to Creeper (10.0.0.4) on port 3389.
[1]
[2]
[3]
[4]
| |
| McAfee |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
[4]
[5]
| |
| Microsoft |
|
Telemetry |
|
| Telemetry showed creation of a terminal services session on Creeper from CodeRed with corresponding logon by Kmitnick.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Palo Alto Networks |
|
Telemetry |
|
| Telemetry showed an inbound connection to Creeper (10.0.0.4) on port 3389.
[1]
[2]
[3]
[4]
[5]
| |
| RSA |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
| |
| SentinelOne |
|
None |
|
| No detection capability demonstrated for this procedure.
[1]
[2]
[3]
| |
| Carbon Black |
|
Enrichment |
|
| The capability enriched whoami.exe with the correct ATT&CK Technique (T1033 - System Owner/User Discovery).
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry |
|
| Telemetry within the process tree showed magnify.exe executing whoami.exe.
[1]
[2]
[3]
[4]
[5]
| |
| CrowdStrike |
|
Telemetry (Tainted) |

|
| Telemetry showed execution of whoami.exe. The process tree view showed whoami.exe was tainted by a previous magnify.exe detection.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| Cybereason |
|
Specific Behavior (Tainted) |

|
| A Specific Behavior alert was generated based on whoami.exe performing Reconnaissance as a SYSTEM user. The alert was tagged with the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery). The alert was tainted by a parent Accessibility Features alert.
[1]
[2]
[3]
[4]
|
|
Telemetry |
|
| Telemetry showed the execution of whoami.exe.
[1]
[2]
[3]
[4]
| |
| Endgame |
|
Enrichment (Delayed, Tainted) |
 
|
| The capability enriched whoami.exe with the correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery). The enrichment was tainted by an alert on Windows File Name Mismatch-Accessibility Features.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry (Tainted) |

|
| Telemetry showed whoami.exe was executed from magnify.exe. The telemetry was tainted by an alert on Windows File Name Mismatch-Accessibility Features.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
| |
| FireEye |
|
Enrichment |
|
| The capability enriched whoami.exe with an alert for Whoami Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Telemetry (Tainted) |

|
| Telemetry showed whoami.exe executing from magnify.exe within an alert for Accessibility Features Child Process. The telemetry was tainted by the Accessibility Features Child Process (METHODOLOGY) alert.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| F-Secure |
|
Enrichment |
|
| The capability enriched whoami.exe with a tag identifying the command as enumeration.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
General Behavior |
|
| A General Behavior alert was generated showing that a spawned process (whoami) has been tagged for monitoring because its parent process has a detection (magnify.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
|
|
Telemetry |
|
| Telemetry showed whoami.exe was executed from magnify.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
| |
| GoSecure |
|
Telemetry (Tainted) |

|
| Telemetry showed magnify.exe executing whoami.exe. The telemetry was tainted by the parent POS Interactive Login Event alert.
[1]
[2]
[3]
| |
| McAfee |
|
Specific Behavior |
|
| A Specific Behavior alert was generated for the whoami command was executed through a masqueraded tool (magnify.exe).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
|
|
Telemetry (Tainted) |

|
| Telemetry showed magnify.exe (original name identified as cmd.exe) executing whoami.exe. The telemetry was tainted by a trace detection on magnify.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Microsoft |
|
Telemetry (Tainted) |

|
| Telemetry showed whoami.exe executing from magnify.exe (tainted by sticky keys binary hijack alert).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
| |
| Palo Alto Networks |
|
Enrichment |
|
| The capability enriched whoami.exe executing as an enumeration command.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry |
|
| Telemetry showed magnify.exe executing whoami.exe.
[1]
[2]
[3]
[4]
[5]
[6]
| |
| RSA |
|
Telemetry |
|
| Telemetry showed execution of whoami.exe.
[1]
[2]
[3]
| |
| SentinelOne |
|
Enrichment |
|
| Enrichment showed execution of the whoami command (enriched with description "whoami - displays logged on user information"). Execution of whoami was associated to the story (Group ID) created from the execution of magnify.exe, but was not considered tainted because an alert was not generated when magnify.exe was executed.
[1]
[2]
[3]
[4]
| |
|